Problem with settings up Opnsense & Graylog

[gizm0]

I have Opnsense 19.7 installed on APU2 board. I have also setup working Graylog 2.4.7 server, which I have used to log all messages from different servers for many years.

I now tried to get opnsense to send logs (settings ->logging->remote logging options) to graylog, but it doesn't seem to be sending any logs at all. All other servers are working as expected and those can send logs to graylog, but opnsense doesn't. I have setup opnsense to send logs to syslog UDP input, but nothing is coming in. Any suggestions what I'm doing wrong in here? I also checked opnsense firewall log, but nothing is being sent out to graylog according to those logs.

[gizm0]

I just tested the setup with older version 19.1.x and it seems to be working ok. When i upgrade the system to version 19.7 it stops sending logs to graylog.

Also I noticed that there is new logging section in opnsense called "Settings" -> "Logging / targets", but there is no guide/manual about that part. Is that something that needs to be set in version 19.7?

[mimugmail]

This is the new remote logging which should be the one you want to configure

[gizm0]

so i don't need to setup that "logging" section for graylog at all? I should only configure "logging /targets" section and disable remote logging in "logging" section?

[mimugmail]

Via console:

opnsense-patch 398e00c
service configd restart


Then you need to stop/start loggin/targets entry and it works.
Will be fixed in next version.

[lfirewall1243]

Hello,

i treid the patch above and it works.

But on the graylog server i see that messages are incoming but they aren't showing in the search. Maybe the timestamp have changed after 19.7?

Thanks.

[mimugmail]

No idea, maybe you create a new input in Graylog and compare them?

[lfirewall1243]

a reboot of the graylog server did it

But it seems that the new logging feature is buggy.
Suricata Logs aren't working anymore, squid logs etc. are shown.

But even logs are shown that aren't selected.

Is it possible to use the old loggin version?

[mimugmail]

Should be possible, just enable it and disable tagets section.

[GLR]

But it seems that the new logging feature is buggy.
Suricata Logs aren't working anymore, squid logs etc. are shown.

But even logs are shown that aren't selected.

According to what I observed on the opnsense logs, it seems the logging configuration changes (applications, levels, facilities, transport...) are not correctly taken in account when saved (even with the patch applied). I had to disable the "Logging / targets" feature and enable it again to get the changes applied.

Once that set, the new syslog forwarding feature works correctly including in TCP mode (sent here to a Filebeat/Elastic/Kibana).
And even without using the new "Logging / targets" page, the legacy forwarding feature works now correctly, being compliant with the syslog standards (especially hostname present). In my understanding, syslog-ng is now also involved when using the legacy log forwarding UI / feature.

[mimugmail]

There will be a fix for Save/Apply actions tomorrow