[Solved] Firewall logging stopped, live view shows outdated entries only

hbc · April 26, 2019, 08:47:44 AM

My live log stopped, filter.log is empty and I have no idea how to get it working again.

I checked and uncheck the "Log Firewall Default Blocks" rules, reset/cleared all logs, rebooted, added the log option to nearly every rule, but no entries in live view, overview or plain view. filter.log stays empty.

Tried also:
https://forum.opnsense.org/index.php?topic=9542.0

Did not help either

My current workaround is:

Code Select

# tcpdump -n -e -ttt -i pflog0

So, pflog0 interface is working. What component is between pflog0 and live view?

filterlog and syslog are running:

Code Select

55019  -  Ss     0:00.05 /usr/local/sbin/filterlog -i pflog0 -p /var/run/filterlog.pid
60021  -  Ss     0:00.10 /usr/local/sbin/syslogd -s -c -c -P /var/run/syslog.pid -l /var/dhcpd/var/run/log -l /var/unbound/var/run/log -f /var/etc/syslog.conf

System is a fresh installation with 19.1.4 updated to 19.1.6. No mods in file system have been done, just configurations via web gui for interfaces and carp. Now I wanted to start adding rules and boom ... no logs to check.

hbc · May 01, 2019, 10:47:48 AM

No ideas?
I made factory default reset and imported backup in sections.
Lagg devices, vlan, interfaces, gateways, system, dhcp, everything ok.

But then, when Importing firewall rules, the live view stops.

Next attempt, I will create rules manually again.

What could be the reason for live view to stop? I guess something with aliases or firewall groups.

vikozo · May 01, 2019, 12:30:51 PM

maybe it has something to do with alias
https://forum.opnsense.org/index.php?topic=12464.0

hbc · May 01, 2019, 05:12:35 PM

Quote from: vikozo on May 01, 2019, 12:30:51 PM
maybe it has something to do with alias
https://forum.opnsense.org/index.php?topic=12464.0

I don't think so. I tried 19.1.4 and same problem. My 19.1.6 has applied 4 patches to fix aliases.
It must be something that interferes with filterlog and prevents that log entries get displayed in gui.
Can you accidentally drop the communication with filterlog with rules or redirects?

hbc · May 07, 2019, 12:53:22 PM

The problem exists again. There seems to be a configuration that prevents filterlog-daemon to update /var/log/filter.log. It worked while restoring machine from scratch and adding settings and rules.

And now after adding some Outbound rules, VIP, etc., live view is stale again. It must be an option that gets activated by reboot, because the last log entry is before a firewall reboot. So much harder to debug, since this machine needs ages to reboot.

I tried to restart filterlog daemon manually, but it does not even touch the filter.log file.

Can anybody explain the expected flow of logs into live view?

pf generates logs into pflog0 interface and filterlog reads this interface and write entries to filter.log? Or how is filter.log updated? What could prevent updates? IP sockets used, unix sockets? What could interfere?

Update:
Seems to be an issue with Tuneables. Set to default and reboot solved the problem. Now I have to figure out which sysconfig option stops my live view and why.

hbc · May 09, 2019, 10:37:03 AM

Problem found. Too much hardening. Seems as filterlog does not request explicit read access.

Code Select

# bpf is write-only unless program explicitly specifies the read filter (default 0)
net.bpf.optimize_writers = "1"

[Solved] Firewall logging stopped, live view shows outdated entries only

hbc

April 26, 2019, 08:47:44 AM Last Edit: May 09, 2019, 10:37:16 AM by hbc

hbc

May 01, 2019, 10:47:48 AM #1

vikozo

May 01, 2019, 12:30:51 PM #2

hbc

May 01, 2019, 05:12:35 PM #3

hbc

May 07, 2019, 12:53:22 PM #4 Last Edit: May 07, 2019, 04:39:54 PM by hbc

hbc

May 09, 2019, 10:37:03 AM #5