Problem with sending logs to graylog

Started by gizm0, July 22, 2021, 03:15:33 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 22, 2021, 03:15:33 PM
I have Opnsense 21.1.8_1-amd64 installed on APU2 board. I have also setup working Graylog 4.0.9 server, which I have used to log all messages from different servers and devices.

I tried to get opnsense to send audit and openvpn logs (system ->settings->logging /targets options) to graylog, but it sends only openvpn logs. All other servers are working as expected and those can send logs to graylog, but opnsense doesn't. I have setup opnsense to send logs to syslog UDP input, but only openvpn logs are coming in.

I also noticed that opnsense sends some of the openvpn logs to the graylog. For example it does not send this openvpn log event "openvpn[37083]    USERHERE/IPHERE:PORT SIGTERM[soft,remote-exit] received, client-instance exiting", but this is sent to graylog "openvpn[37083]   MANAGEMENT: CMD 'quit'".

The weird part is that it worked yesterday when I setup remote logging, but after I changed graylog ip address (as the server was moved) it stopped to work and opnsense sent only some of the messages (only openvpn logs).

This is what I have tried so far:
-remove logging and recreate the settings-
-reboot
-restart services

I have attached screenshots of the opnsense setup and events from graylog that are sent to graylog.
July 24, 2021, 06:09:55 PM #1
I'ld suggest checking the ondisk config's maybe they sticked to the old IP somewhere in /usr/local/etc/syslog-ng

Alternative'ly try downloading the config edit out all the modified Syslog target and restore that as backup...
July 29, 2021, 11:44:48 AM #2 Last Edit: July 29, 2021, 11:56:42 AM by gizm0
Actually it started to work on the same day when i wrote original post here. Well at least it is sending the messages to graylog, but there still seems to be one problem. For some of the opnsense events it takes over 1,5hours to send the message. I have checked that the problem is on the opnsense side as the message arrives to graylog 1,5hours later and it has current timestamp from opnsense although event happened 1,5hours before.

Some of the messages are sent right way such as the messages which can be seen on this thread in the screenshot (for example message: "OPNsense.hosts openvpn[37083]: MANAGEMENT....".

For me it looks like the messages that have "MANAGEMENT" text in it are sent right away and everything else takes longer time.
August 05, 2021, 11:58:50 AM #3
I have now tried to upgrade to latest Opnsense version 21.7, but still it doesn't work as it should.
Print
Go Up Pages1
User actions