(Resolved) After Upgrade from 21.7 to 22.1, firewall logging stopped

[MrEnergy]

Solution: that alias 9700 was broken and this stopped working the logging (for any reason). I found another hint in this forum, when you cannot delete an alias: I renamed it and applied, suddenly the console overloaded with error messages and rebootet.

After reboot the alias had still the old name, tried to renamed it again, and this time it worked. After apply the renamed alias, the firewall starts logging again!!



today I have upgraded my working 21.7 version opnsense to 22.1, after several reboots firewall logging stops.

OPNsense 22.1-amd64
FreeBSD 13.0-STABLE
OpenSSL 1.1.1m 14 Dec 2021

Intel(R) Xeon(R) CPU E5-2687W v2 @ 3.40GHz (4 cores, 4 threads)

VM Server 6.7 u3

root@gedu-opn:/var/log # service -e
/etc/rc.d/hostid
/etc/rc.d/hostid_save
/etc/rc.d/cleanvar
/etc/rc.d/kldxref
/etc/rc.d/ip6addrctl
/etc/rc.d/rctl
/etc/rc.d/mixer
/etc/rc.d/devmatch
/etc/rc.d/netif
/etc/rc.d/resolv
/etc/rc.d/devd
/usr/local/etc/rc.d/syslog-ng
/etc/rc.d/newsyslog
/etc/rc.d/os-release
/etc/rc.d/dmesg
/etc/rc.d/virecover
/etc/rc.d/gptboot
/etc/rc.d/motd
/etc/rc.d/syslogd
/etc/rc.d/savecore
/usr/local/etc/rc.d/flowd_aggregate
/usr/local/etc/rc.d/elasticsearch
/usr/local/etc/rc.d/eastpect
/usr/local/etc/rc.d/snmpd
/usr/local/etc/rc.d/c-icap
/usr/local/etc/rc.d/flowd
/usr/local/etc/rc.d/suricata
/usr/local/etc/rc.d/zabbix_agentd
/usr/local/etc/rc.d/squid
/etc/rc.d/cron
/usr/local/etc/rc.d/redis
/usr/local/etc/rc.d/clamav-clamd
/usr/local/etc/rc.d/clamav-freshclam
/etc/rc.d/bgfsck


I've tried several possible solution (googled) like delete all log files, restart syslog-ng service, clear logs via gui, an so on. Nothing helped.

root@gedu-opn:/var/log # ls -la /var/log
total 88
drwxr-xr-x  22 root           wheel          1024 Feb  2 18:28 .
drwxr-xr-x  31 root           wheel           512 Jan 25 08:09 ..
drwx------   2 root           wheel           512 Feb  2 18:01 audit
drwxr-x---   2 c_icap         c_icap          512 Feb  2 17:08 c-icap
drwxr-xr-x   2 clamav         clamav          512 Feb  2 17:08 clamav
drwx------   2 root           wheel           512 Feb  2 18:01 configd
drwx------   2 root           wheel           512 Feb  2 16:58 dhcpd
drwxr-xr-x   2 elasticsearch  elasticsearch   512 Feb  2 17:07 elasticsearch
drwx------   2 root           wheel          1024 Feb  2 16:58 filter
drwx------   2 www            www             512 Feb  2 18:01 lighttpd
drwxr-x---   2 root           wheel           512 Feb  2 16:58 maltrail
drwxr-xr-x   2 root           wheel          2560 Feb  2 18:20 ntp
drwx------   2 root           wheel           512 Feb  2 18:01 ntpd
drwx------   2 root           wheel           512 Feb  2 18:06 pkg
drwx------   2 root           wheel           512 Feb  2 18:01 portalauth
drwxr-xr-x   2 redis          redis           512 Feb  2 17:06 redis
drwx------   2 root           wheel           512 Feb  2 18:01 resolver
drwx------   2 root           wheel           512 Feb  2 16:58 routing
drwxr-x---   2 squid          squid           512 Feb  2 17:08 squid
drwx------   2 root           wheel           512 Feb  2 18:01 suricata
drwx------   2 root           wheel           512 Feb  2 18:01 system
drwxrwx---   2 zabbix         zabbix          512 Feb  2 16:58 zabbix
root@gedu-opn:/var/log #

Anything else you need for investigation or possible solution?

Also no syslog streams anymore to my syslog server. pflog0 file is empty

root@gedu-opn:/var/log # tcpdump -n -e -ttt -i pflog0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 262144 bytes

Update: when I enable login on allowed rules via GUI, I see the following messages on the console:

user xxxx@x.x.x.x changed configuration to /conf/backup/config-1643828188.9265.xml in /firewall_rules.php [/firewall_rules.php made changes]

then I press the apply button, I see:

/usr/local/etc/rc.filter_configure: There were error(s) loading the rules: /tmp/rules.debug:131: syntax error - The line in question reads [131]: 9700 = "{ }"

My next try is to recreate some of my hundres rules, to see if the upgrade broke the rule sets.

Update: not sure if this could be the issue, but when I try to delete that 9700 alias, I get a message:

Cannot delete alias. Currently in use by
[aliases.alias.1e2ff2a5-c6ad-4fc8-9015-7be8e1d335b3] 9700

but I have no rules which include the port 9700 alias?!