21.1.7: Suricata alert log not working

[adk20]

After the update to 21.1.7, the Suricata alert log (Services > Intrusion Detection > Administration > Alerts) appears to be broken for me.

I can see the newest 7 entries (default setting). When changing the number of entries per page or viewing another page than the first, I see old entries from before the update. To see the newest 7 again, I need to navigate to an entirely different page (e.g. Lobby) and then go back to the alert log. Then the same happens again.

Rebooting and deleting the alert log didn't help. Neither did clearing my browser cache.

Any feedback is much appreciated.

[adk20]

The 21.1.7_1 hotfix did not solve this problem for me. Any ideas as to what might be the cause of this bug?

[franco]

Hotfix was for pfTables page and DNS API resolver consumers, not for intrusion detection / log files. So far nobody else reported what you are seeing.

Are you sure this is a problem with the page and not with the log file / logging settings in intrusion detection? Might be best to clear the log and see if that helps.


Cheers,
Franco

[adk20]

@Franco, thanks for your response.

Unfortunately, deleting the log file does not fix the issue. I am also unsure which setting should cause this odd behavior. Any hints in this regard are much appreciated. However, I would think that the GUI does not allow you to configure settings that break functionality!?

Moreover, the issue only arose after the upgrade to 21.1.7. I haven't touched the Suricata log settings in months.

When I open one of the logs from the previous weeks, everything works as expeced. Flipping through the pages, changing entries per page and so on.

In the current log, I can only view the first seven entries. Clicking through the pages or changing the number of entries per page etc. results in a blank page - "no results found!".

I did reset the log and deleted this and last weeks' logs. A new log with a fresh time stamp is created but, alas, the problem persists.

On a side note: What I noticed before but didn't pay much attention to is that when I have 50 entries per page displayed, the following is displayed at the bottom of the page: "Showing 1 to 7 of 51 entries". Has anyone else observed this?

I am at my wit's end. Any clues are much valued.

Cheers,
adk

[yeraycito]

I have just checked it. The error occurs before Opnsense 21.1.7. In my case since last 13th. I have cleared the browser cache, updated Opnsense to 21.1.7.1 and the problem persists.

[franco]

Maybe https://github.com/opnsense/core/commit/644b647cf

# opnsense-patch 644b647cf


Cheers,
Franco

[yeraycito]

Solved. I cleared the alert log and it seems to be working. Before that it had gone from 7 results to 50 results in the alert log. When I went back to 7 results it was showing the data correctly. I still deleted all the alert logs.

[yeraycito]

Fixed without applying the new patch.

[yeraycito]

I was wrong, it is not solved, you have to apply the patch. When reloading the results of the alerts they disappear.

[franco]

This is all rather fishy to be honest...


Cheers,
Franco

[yeraycito]

I don't know what you mean by suspicious. We just want to help things run smoothly. I've posted a lot of screenshots explaining the problem and the possible solutions I've been able to find. If you think it's bad that we're trying to help you find and fix problems, just say so.

[franco]

To me it is simply unclear from the multiple posting structure if you applied the patch, how much success you had or how it was different or if the problem persisted.

[yeraycito]

I posted the comments and images in order as things happened, as is logical and normal and without having applied the patch and the problem was not solved. It couldn't be clearer. Now I have applied the patch and it seems that the problem has been solved.

[yeraycito]

After applying the new patch, all alerts are well recorded.

[yeraycito]

The problem is that the number of results does not correspond to the number of page views. This has not been resolved with the new patch.

I hope this is clear to you. It would be appreciated if you could be nicer to those of us who just want to help.