Logging for all firewall rules

Started by JasMan, December 31, 2018, 04:00:50 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 31, 2018, 04:00:50 PM
Hey,
I'm curios if OPNsense has a switch or option, where I can enable the logging for all firewall rules at once.

Why? When the ruleset becomes bigger and bigger, and you found out that an client has access to something that it shouldn't have, it's difficult to find the rule which allowes the traffic.
In this case it would be great to temporary enable the logging for all rules at once to check the log which rule allowes the specific traffic.

Thank you.
Jas Man

Duck, Duck, Duck, Duck, Duck, Duck, Duck, Duck, Goose
January 11, 2019, 09:49:50 PM #1
Any idea?!
Duck, Duck, Duck, Duck, Duck, Duck, Duck, Duck, Goose
January 11, 2019, 11:37:31 PM #2
Not a single switch no. The default rules logging on/off is in System:Settings:Logging, the rest our down to the rules you've created.
OPNsense 24.7 - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member
January 12, 2019, 12:33:11 PM #3
What a shame  ;D

Do you agree that this would be a nice feature? My old Sophos UTM has this and I found it really helpful.
Duck, Duck, Duck, Duck, Duck, Duck, Duck, Duck, Goose
January 12, 2019, 01:16:28 PM #4
Maybe... Maybe not.


I'm on the fence.  :)
OPNsense 24.7 - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member
January 12, 2019, 02:52:11 PM #5
I've submitted a feature request: https://github.com/opnsense/core/issues/3124
Duck, Duck, Duck, Duck, Duck, Duck, Duck, Duck, Goose
September 12, 2021, 02:20:06 PM #6
I'd love to see this feature too!
March 10, 2024, 12:49:12 AM #7
Very needed feature but not understood, so we're stuck without it. Filterlog is the main source of evidence of network activity with other components often dropping the data. I log everything, and I wish there was a better view than "Plain View" to read it.
March 10, 2024, 03:42:17 PM #8
Keep in mind that depending on the amount of traffic and rules you have that enabling logging for all of them can cause problems, such as filling up your drive and possibly slowing down your network.
March 11, 2024, 12:40:20 AM #9
Thanks. I did the testing and there's no performance impact. The rate of messages isn't high, it's bit more than a DNS querylog which people store without doubts. It creates like 10MB per client per day, visible but not much, especially compared to ntopng. There will be turnover of 5GB per month for a 50 device network. Ntopng will do it in 1 day. It's a very light logging, not tracing size, so even in case of high throughput like speedtest, it will drop just very few messages. So it's valuable per size and the only source of information of blocked requests.

Monthly turnover example:
Quotenoptng (100GB) > zenarmor (20GB) > ...... > filterlog (5GB) > dnslog (4GB) > flowlog (1.5GB) > dhcplog (1.5GB) > .... > crowdsec (16MB) > firewalllog (15MB)

Thinking maybe it's not needed i turned it off yesterday for all pass requests. But next day I found myself clueless about what's going on. The most frequently accessed window Live View got empty, I thought this one is fetched somehow realtime from the process. Now this switch makes even more sense!  I'm back in "log all" camp and hope for "Plain View" parsing in future. If "Live View" is a filterlog reader, then it can either be expanded even further to the past, or use its code in "Plain View". All those other logs count something (with a great packet loss) but don't show the blocked requests or interface path.
Print
Go Up Pages1
User actions