syslog-ng

[guest23316]

The new syslog-ng is not fully baked.  I have remote syslogs being sent for over a year.  I created a new log analysis for further testing and duplicated the current destination (System>>Settings>>Logging/Targets) and update the duplicate with the new IP address.  After a few hours troubling shooting, noticed tcpdump didn't yield any results.  I rebooted OPNsense and started receiving logs but not the same as the duplicated instance.  I utilized a network tap and moloch to capture the traffic (full packet capture).  Next, I filtered on port 5140 saw OPNsense sending to two instances.  Upon analysis of the traffic, I noticed the original had what I needed but the newly setup instances is only receiving NTPD logs.  Settings are identical...what the heck is going on and why are this settings not taking?

I really have enjoyed OPNsesne but looking to make the switch back to pfSense where things just work a little better.

 

[packet loss]

I'm wondering if the following OPNsense commit fixed the issue you might be having:

https://github.com/opnsense/core/commit/cda4e3561f511fb75a7a7922b329d5581ae2c3b7

[franco]

Not aware of any issues with the config, maybe you can share your settings preferably by screenshot.

The particular patch was for syslog-ng crashing due to a race on the socket creation.


Cheers,
Franco

[guest23316]

I did a clean install today and everything is now working....weird.

[michael]

I had a very stable machine (HP 290 w/Celeron G4900 3.1GHz 4GB RAM 16GB NVME) running 20.1.1, CPU use was typically about 15% and would occasionally bump up to 60%. The system ran for 60 days continuous uptime, no issues. 

I upgraded to 20.1.5 today, and it is now running at 60% CPU (idle) and spiking up to 100%, with temps 10-15 degrees C higher than before. 

The activity log shows the culprit is syslog-ng which is using 60+% of WCPU. 

Anyone else having this problem?  Wondering how to fix it, other than just shutting down the syslog service.