Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
23.1 Legacy Series
»
Lamenting the change to firewall live log searching
« previous
next »
Print
Pages: [
1
]
Author
Topic: Lamenting the change to firewall live log searching (Read 1409 times)
TrixieBell
Newbie
Posts: 8
Karma: 1
Lamenting the change to firewall live log searching
«
on:
February 22, 2023, 09:54:42 pm »
I recently upgraded from an ancient OPNsense 20.something install to a modern 23.bleedingedge version and the only change I noticed in the Web GUI was that the search of the live logs went from a quick and easy broad search with regex to a clunky dropdown option.
I loved the other one. It was quick and easy to use, in my opinion one of the best features of the GUI (which in general I think is pretty great).
I'm not looking for replies, just letting people (devs perhaps?) know how much I miss it.
RIP nice search.
(
Logged
Helle
Newbie
Posts: 24
Karma: 1
Re: Lamenting the change to firewall live log searching
«
Reply #1 on:
February 23, 2023, 08:10:07 pm »
I feel your pain.
The current filtering is not working imho since any search term effectively makes the log disappear from the view.
I used to be able to enter a few arguments and then enable reverse lookup to see what's going on but that was long ago.
According to various forum posts from developers, this should be fixed but I don't see that on my end.
I am working with a rather well known enterprise firewall brand at work and querying the logs for various problems is in my world really important to find problems and then fix them.
Logged
Fright
Hero Member
Posts: 1777
Karma: 164
Re: Lamenting the change to firewall live log searching
«
Reply #2 on:
February 24, 2023, 08:34:08 pm »
@TrixieBell
regex search in firewall live view? was it like that?
@Helle
imho this is not a bug per se (and therefore not a 'fix' needed): the live view works as expected in the chosen logic.
https://forum.opnsense.org/index.php?topic=31568.0
https://github.com/opnsense/core/pull/6177
For devs to decide to spend time again, more feedback is needed from users.
but
if you really-really need the old logic right now:
Code:
[Select]
opnsense-patch -a kulikov-a c5d545b
Logged
Helle
Newbie
Posts: 24
Karma: 1
Re: Lamenting the change to firewall live log searching
«
Reply #3 on:
February 24, 2023, 10:46:05 pm »
Thanks for the clarification.
I did read the discussions when the change was introduced but did not speak out because I thought it was just a temporary glitch that was to be fixed and there were fixes made shortly after the changed.
I can no longer find a way to drill down things using a few search arguments and then resolve the result, nor can I have a query that will auto-display what I'm interested in whenever it occurs.
In fact, I have a really hard time figuring out how people use the live log at all after the change.
I do not want to patch my system since I like to have it as stock as possible but maybe someone can explain how to use the live log in a decent way.
For instance, filter live data to show hostname for traffic from a specific source where the port is 1337 and it seems to happen every 5 minute.
On my box, the "live feed" briefly shows some rows but then disappears and a few new rows appears and when selecting resolv. things get even more weird if possible and in a few seconds the window is blank.
I guess that is supposed to happen and that's why I no longer have any use for the live log.
Please correct me if I'm wrong. This is not a rant even if it contains 100% rant material. I'd like to be corrected so much.
Logged
Helle
Newbie
Posts: 24
Karma: 1
Re: Lamenting the change to firewall live log searching
«
Reply #4 on:
February 24, 2023, 10:56:16 pm »
Hello again :-)
It seems to be possible to use the live log in some way if one disables the auto refresh but in my world that is a "non-live log"
I have to investigate if I can use this for something useful but I do miss the old way which reminds a little bit of the monitor tab with search expression field in the other brand I was not mentioning.
Update: It is still rather difficult to get the result since it seems to show only after the view is filled.
If my window is set to show 25 rows, my query will only display anything when the result is 25 rows or more.. so it is rather backwards and no indication that anything is picked up with current filter arguments are shown versus the old behavior filled the view in a "live log" way.
Sorry for taking every ones time but I hope my feedback can make a difference somehow.
Update2: The resolve doesn't seem to work as my expectations but it might have to do with if the refresh is quick or if it takes some time to get enough data in the live log buffer.. I guess.
What I am suggesting is that the behavior is rather confusing.
Update3:
The auto refresh tick box could be renamed to auto clear since it is a more descriptive label ;-)
Other than that, I am even more confused after really trying to get the logic behind this with only trial and error and not reading a lot of manuals and developer discussion threads.
I guess I need to send my logs to a syslog server with some elastic functionality to be able to use the logs but I hope to be proven wrong asap.
«
Last Edit: February 24, 2023, 11:17:25 pm by Helle
»
Logged
TrixieBell
Newbie
Posts: 8
Karma: 1
Re: Lamenting the change to firewall live log searching
«
Reply #5 on:
February 26, 2023, 07:28:46 pm »
I have noticed the log lines disappearing almost as soon as they appear. It doesn't do it for me just now but I think it happened when I had every packet being logged. I had assumed there was a limited cache of logs to filter and that those logs were scrolling out of the cache too fast.
I did like being able to search on DNS name when you put Lookup hostnames on. Being able to just type ESX and see the logs for all my ESX servers etc.
Logged
Helle
Newbie
Posts: 24
Karma: 1
Re: Lamenting the change to firewall live log searching
«
Reply #6 on:
February 27, 2023, 12:15:19 am »
Exactly the way I used to use the live log and how we use the monitoring tab at work for finding important anomalies.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
23.1 Legacy Series
»
Lamenting the change to firewall live log searching