25.7 AND 25.1 nothing shown in firewall log (live view , Overview, and Plain View)?

Started by Wolfspyre, March 09, 2025, 03:16:30 AM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
March 09, 2025, 03:16:30 AM Last Edit: April 23, 2025, 01:24:37 AM by Wolfspyre Reason: expanding on diagnostic actions taken
I know, not 25.1 solely, but not really sure of the best place to raise this question.

Since upgrading to 25.7, the live view firewall logs no longer show anything on my systems.

I witnessed the problem on my standby firewall, but the HA sync page's advise of (paraphrased)
'the standby and primary are running different versions, upgrade to avoid weirdness' 

lead me to think that this was likely a symptom of having the pair split across versions.

however, that's not the case.

Things WORKING:
- all of the panes within `diagnostics` show data
- `/ui/firewall/alias_util/` shows aliases and counters as expected.
- `/ui/diagnostics/firewall/statistics#rules` shows all the rules alongside evaluations and counters
- `/ui/diagnostics/firewall/pf_top` shows sessions as expected
- `/ui/diagnostics/firewall/states` shows states as expected
- `/ui/diagnostics/firewall/statistics#info` shows all the expected counters as usual
- `ui/diagnostics/log/core/firewall` shows some stuff (mostly the update of fail2ban from maltrail)
- The statistics on matches in an interface's rulesets still work.
- PF is still doing its' thing.
- the lobby dashboard

the firewall pair is still working correctly afaict...
however....

under firewall/logfiles
( live view | overview | Plain view )
none of these show content.

All the panes in `/ui/fiagnostics/firewall/stats` show 'No Data Available'

The live view shows nothing.

Anyone have similar experiences?
Suggestions?
any diagnostic steps that would be useful or informative?

- I have validated that 'enable local logging' is checking in 'system/settings/logging'.
- I have disabled local logging and re-enabled it.
- I have reset the logfiles.

under `system:settings:logging` on the statistics pane, it seems like syslog's healthy.... I'm a bit confused.

March 09, 2025, 03:30:42 AM #1
img of log statistics pane under logging.
March 09, 2025, 07:42:42 AM #2
25.1 is where you need to be. Go back to System - Firmware and switch from Development to Community, then check for updates.
March 09, 2025, 08:36:03 AM #3
Infamous "works for me" on latest opnsense-devel. Clearing browser cache would be my first suggestion.


Cheers,
Franco
March 12, 2025, 09:27:16 PM #4
I tried multiple browsers in anonymous mode before even considering posting here..

Any suggestions on what I might do/try to do to identify where the problem might be?

March 12, 2025, 09:31:42 PM #5
Easy ICMP rule with logging with source of client. Start ping from client and watch live log?


Cheers,
Franco
March 18, 2025, 10:35:39 PM #6

Nada.
Nothing shows in the UI.
Where should I look systemically to step back?

IE: What does the 'live view' webui use as its' source?
how can I tap there to see if log events are present there?
March 20, 2025, 01:42:34 PM #7
I have the same problem. Since updating to 25.1.3 no filterlog is being generated. Other logs are but not filterlog.
March 20, 2025, 02:14:19 PM #8
well.... at least it's not **JUST** me :)
March 21, 2025, 10:50:22 AM #9
If you haven't already try a reboot of your router, I rebooted the router and now have the filterlog being generated to disk.
March 21, 2025, 04:29:41 PM #10
I recently installed 25.1.3 from the iso.
During bootup, I'm seeing blocks logged with descriptions that are associated with system and user-defined PASS rules.
e.g. 'let out anything from firewall host itself (force gw)' and a user rule (associated with a port forward) that passes udp/53 to the firewall 127.0.0.1. I have default block logging turned off.

Is this to be expected during start-up? These anomalous log entries do stop immediately the opnsense host is fully up and running. But I wondered how the description from a pass rule get associated with a block in the log.
April 19, 2025, 10:16:00 AM #11
Okay,

at this point, I'm really pretty stumped.

- I have rolled my standby firewall back to 25.1.5_5
- I have replaced all -devel packages with their "stable" counterparts

I am still unable to see any firewalling events in live view.
now, if my config broke something, that's .... okay, whatever... that's on me.

Nevertheless, The problem encountered **STILL** aught be logged, but I'm not seeing anything obvious.
Neither the dashboard's live view of firewall actions, nor the  live view display anything.

This **IS** somewhat troublesome, as I've been attempting to sort out some bad traffic, and the lack of ability to inspect this in the webui is, mildly problematic.


Could really use some pointers as to what to inspect or what might be contributing to the problem...


I'm sure it's my fault.... but I'm stumped as to how. ;)

 





April 23, 2025, 01:18:58 AM #12
I'd really appreciate some insight, as I'm kinda at a loss as to how to solve my own problem here.

what feeds the log plumbing here?

How can I walk back the cat, as it were?

What information would be helpful in further teasing apart the problem I've made for myself here? :)
April 23, 2025, 05:26:40 AM #13
Create a rule allowing ICMP to 9.9.9.9 and make it the first in the list. Have a machine in that (v)lan do a continous ping in 9.9.9.9.

Go to Live View and filter by address contains 9.9.9.9

Post a screenshot with the rule and with the live view.
April 23, 2025, 07:59:16 PM #14 Last Edit: April 23, 2025, 08:32:18 PM by FredFresh
Hello, Here is a similar situation: on live view I can see only a very limited amount of line.
If I ping 9.9.9.9 I see replies on the Windows computer terminal, but there is nothing on the liveview or plain view.

This happens both with a specific rule in place or not.

I don't know if it's just my error but, shouldn't the liveview show everything even if the single rules are not flagged to be logged? (blue circle with a "i" inside)
Print
Go Up Pages1 2
User actions