[Solved] Firewall logging stopped, live view shows outdated entries only

[hbc]

My live log stopped, filter.log is empty and I have no idea how to get it working again.

I checked and uncheck the "Log Firewall Default Blocks" rules, reset/cleared all logs, rebooted, added the log option to nearly every rule, but no entries in live view, overview or plain view. filter.log stays empty.

Tried also:
https://forum.opnsense.org/index.php?topic=9542.0

Did not help either

My current workaround is:

Code: [Select]

#  tcpdump -n -e -ttt -i pflog0
So, pflog0 interface is working. What component is between pflog0 and live view?

filterlog and syslog are running:

Code: [Select]

55019  -  Ss     0:00.05 /usr/local/sbin/filterlog -i pflog0 -p /var/run/filterlog.pid
60021  -  Ss     0:00.10 /usr/local/sbin/syslogd -s -c -c -P /var/run/syslog.pid -l /var/dhcpd/var/run/log -l /var/unbound/var/run/log -f /var/etc/syslog.conf

System is a fresh installation with 19.1.4 updated to 19.1.6. No mods in file system have been done, just configurations via web gui for interfaces and carp. Now I wanted to start adding rules and boom ... no logs to check.

[hbc]

No ideas?
I made factory default reset and imported backup in sections.
Lagg devices, vlan, interfaces, gateways, system, dhcp, everything ok.

But then, when Importing firewall rules, the live view stops.

Next attempt, I will create rules manually again.

What could be the reason for live view to stop? I guess something with aliases or firewall groups.

[vikozo]

maybe it has something to do with alias
https://forum.opnsense.org/index.php?topic=12464.0

[hbc]

maybe it has something to do with alias
https://forum.opnsense.org/index.php?topic=12464.0

I don't think so. I tried 19.1.4 and same problem. My 19.1.6 has applied 4 patches to fix aliases.
It must be something that interferes with filterlog and prevents that log entries get displayed in gui.
Can you accidentally drop the communication with filterlog with rules or redirects?

[hbc]

The problem exists again. There seems to be a configuration that prevents filterlog-daemon to update /var/log/filter.log. It worked while restoring machine from scratch and adding settings and rules.

And now after adding some Outbound rules, VIP, etc., live view is stale again. It must be an option that gets activated by reboot, because the last log entry is before a firewall reboot. So much harder to debug, since this machine needs ages to reboot.

I tried to restart filterlog daemon manually, but it does not even touch the filter.log file.

Can anybody explain the expected flow of logs into live view?

pf generates logs into pflog0 interface and filterlog reads this interface and write entries to filter.log? Or how is filter.log updated? What could prevent updates? IP sockets used, unix sockets? What could interfere?

Update:
Seems to be an issue with Tuneables. Set to default and reboot solved the problem. Now I have to figure out which sysconfig option stops my live view and why.

[hbc]

Problem found. Too much hardening. Seems as filterlog does not request explicit read access.

Code: [Select]

# bpf is write-only unless program explicitly specifies the read filter (default 0)
net.bpf.optimize_writers = "1"