Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
23.1 Legacy Series
»
howto use livelog correctly
« previous
next »
Print
Pages: [
1
]
Author
Topic: howto use livelog correctly (Read 1682 times)
c-mu
Full Member
Posts: 210
Karma: 5
howto use livelog correctly
«
on:
October 26, 2023, 11:34:15 am »
Please help me to understand the live log correctly. I am having extreme problems looking up anything there for debugging purposes. I mostly switch back to TCPDUMP.
For example I have a mailserver. I go into the livelog, enter the filter "src IP mailserver" or "dst IP mailserver" and nothing is displayed.
Neither my ping tests, nor the mails coming in, nor anything else.
At the same time, several mails per second go through this server, but I can't see anything in the livelog.
Do I need to check "enable logging" everywhere in the ruleset?
The mail server is in a DMZ, which means that all connections have to go through the firewall and therefore have to be visible in the livelog.
Maybe I have too many connections, so it can't show up in the livelog? I do not know exactly where I see the active connections, but the firewall has 32k active states.
don't get me wrong, when i run the livelog without filter, i see dozens of entries that change very quickly.
Logged
tiermutter
Hero Member
Posts: 1099
Karma: 61
Re: howto use livelog correctly
«
Reply #1 on:
October 26, 2023, 11:39:36 am »
Is this traffic shown in live log without filters set?
Is logging of default allow traffic or for specific rule enabled?
Logged
i am not an expert... just trying to help...
c-mu
Full Member
Posts: 210
Karma: 5
Re: howto use livelog correctly
«
Reply #2 on:
October 26, 2023, 12:19:53 pm »
I think I have now understood how OPNSense thought of it.
first i disabled the default log rules:
Log packets matched from the default block rules put in the ruleset
Log packets matched from the default pass rules put in the ruleset
Log packets processed by automatic outbound NAT rules
So there are much(!!) less entries in the live log. And if I now activate "enable logging" in a firewall rule, it also appears in the live log.
Are there any best practices which rules should be logged by default?
Logged
tiermutter
Hero Member
Posts: 1099
Karma: 61
Re: howto use livelog correctly
«
Reply #3 on:
October 26, 2023, 12:34:05 pm »
Yes, that is why I asked... when logging is not enabled, it will not be shown in live log
To reduce wear of my SSD I am only logging a very few actions/ rules in everyday life, espacially forwards and blocks for DNS purposes or blocks of some filter lists (to detect malicious activity).
This causes that I can see about 2 weeks backwards in livelog with 1000 entries.
If I need to debug, I will enable logging for affected rules temporarily.
«
Last Edit: October 26, 2023, 12:37:10 pm by tiermutter
»
Logged
i am not an expert... just trying to help...
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
23.1 Legacy Series
»
howto use livelog correctly
