Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
OPNsense sshd logs to central logserver (Graylog)
« previous
next »
Print
Pages: [
1
]
Author
Topic: OPNsense sshd logs to central logserver (Graylog) (Read 1009 times)
king_boring
Newbie
Posts: 2
Karma: 0
OPNsense sshd logs to central logserver (Graylog)
«
on:
January 18, 2024, 04:37:56 pm »
Hi Everyone I hope someone can help me.
I'm trying to set up some alerting in Graylog for ssh logins to my OPNsense.
In general it's working since I enabled logging targets for "audit".
But on Graylog I just receive audit logs concerning WebGui (config changes, WebGui Logins etc.)
So I checked on the filesystem and it seems that OPNsense is just pushing /var/log/audit.log entries to central syslog and not the log entries from /var/log/audit/audit*.log. These logs seem also to be the one used in the WebGui (System -> Log Files -> Audit)
Do I understand that correctly? Is there a way to get sshd audit logs sent to a central syslog server?
Logged
king_boring
Newbie
Posts: 2
Karma: 0
Re: OPNsense sshd logs to central logserver (Graylog)
«
Reply #1 on:
January 22, 2024, 11:03:15 am »
Could please someone confirm that behaviour of audit logs?
Otherwise I will continue trying to troubleshoot this :-)
Logged
gradlon
Newbie
Posts: 4
Karma: 0
Re: OPNsense sshd logs to central logserver (Graylog)
«
Reply #2 on:
July 23, 2024, 12:29:55 am »
I have more or less the same questions.
I get most of the logs via rsys logs, but not the ssh logs.
Is there a way to send those via rsys log?
Logged
meyergru
Hero Member
Posts: 1710
Karma: 167
IT Aficionado
Re: OPNsense sshd logs to central logserver (Graylog)
«
Reply #3 on:
July 23, 2024, 01:16:36 am »
As for the initial question: Syslog does not collect messages from any file (neither /var/log/audit.log - which does not even exist on my machines - nor /var/log/audit/audit*.log), but only dispatches syslog events. These events in turn are locally logged by syslog-ng to /var/log/audit/audit*.log and can also be sent to a remote log target.
For each target, you can select log levels, applications and facilities. Any of those can be omitted to mean "all". If you get the combination wrong, say you want application "audit" combined with facility "clock daemon", you may not get anything at all, so it is best to start with "all/all/all" and look at the graylog results. From there, you can start choose to select or omit the events you do not want recorded - you may as well fetch all events and filter in graylog afterwards.
For openssh, the default log level is "INFO", the default facility is "USER" and the program is "sshd", which could be changed in the sshd settings file, but that is not possible from the web interface and if you change it manually, it may get overridden by future changes.
As it seems, the application sshd is not in the selectable list of applications.
If that bothers you, file a bug on Github. An alternative would be to send any application logs to Graylog, since the "USER" facility alone would probably show more than sshd only.
Or you do it like me, send anything over to graylog and do the filtering there for good measure.
Logged
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005
1100 down / 440 up
,
Bufferbloat A+
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
OPNsense sshd logs to central logserver (Graylog)