Sensei on OPNsense - Application based filtering

[mb]

Hi donatom3,

Thanks for reporting this. Having a look now.

[donatom3]

MB,

Another issue I've been having is the pan interface randomly disconnecting completely and I have to reboot to ping the interface again.

This is something that started since opnsense 19.1 for me. It happened on sensei 7.0 as well.

It happened on my old hardware and new. Both bare metal installs with Intel nics using the igb drivers. I can't find anything meaningful in the logs.

Im using the stock kernel now. Not sure if the test kernel will help with this lockup of the interface.

[mb]

Hi donatom3,

Thanks for reporting the issue in detail. I'll reach out to you to investigate further together.

[astoklas]

Dear Sensei users,

An update on broken Elasticsearch indices:

After digging together with users who have reported the issue, it looks like the indices were broken because some index file integrity got broken.

This is usually because of abrupt shutdown of the firewall. If power goes off suddenly, before Elastic does a full write of its in-memory buffers, than we have a broken index.

So, not to experience this issue try to turn off your system gracefully.

If in any case this happens, Sensei 0.8.0.beta6 has a "Fix Elastic indices" button under Sensei -> Configuration -> Reporting & Data menu. Just click on the button and Sensei will reset only the broken indices.

0.8.0.beta6 is available for update for 0.8 users.

0.8 looks stable enough to offer as an update for existing 0.7 installations. If we do not see any outstanding issues, we'll move 0.8 to the general repo in a few days.

I just had a power outage on my opnsense, after the reboot the reports could not be displayed. The "Fix Indices" shows all good, but the report still does not show up. I still have the system in a "broken" state if you want to investigate further...

OpnSense 19.1.4
Sensei 0.8beta6

[mb]

astoklas,

Thanks for the report. Reaching out to you now.

[BeNe]

Hello Murat,

is there an option to sync/export the collected data to another ELK Stack ?

Background:
I´m already running a ELK Stack in my network and i want to add the Sensei Data to it,too.
Sensei has much more information than the default syslog infos from OPNSense.

Benefit:
- long time archive
- own correlations searchs with other logs from the network/apps/devices
- build own dashboards and searches
- faster results than on the firewall itself

Thanks

[Archanfel80]

Hi!

I use Sensei in couple of opnsense system. Works well so far.
I was wondering is there any way to run in a low memory board?
I have a pcengine APU2 board with 2GB memory, but i have a fast V-NAND msata SSD.
I setup 8GB swap file on the opnsense so i have 2GB physical and 8GB swap. The access speed not much differ since the SSD is very fast.
Im removed the memory checking row from the installation script so sensei installed succesfully.
I can configure too, it warns me the physical ram is low but i can continue.
However when i try to start the engine it says: Sensei detected swap usage is too high
And its stopped. Yes i know the swap usage is high but i dont think it can cause any issue since i use the fast ssd. Is there any way to override this? Let sensei use the swap file, i take the risk.

Thanks!

[Antaris]

SunnyValley evaluating lightweight backend database engines to provide a lighter version for home users with low spec hardware. When they are ready, there will not be a need of such swap tricks...

[mb]

Hello Murat,

is there an option to sync/export the collected data to another ELK Stack ?

Background:
I´m already running a ELK Stack in my network and i want to add the Sensei Data to it,too.
Sensei has much more information than the default syslog infos from OPNSense.

Hi BeNe,

Many thanks for your suggestion. This feature - along with syslog and netflow streaming - is in the roadmap.

[mb]

SunnyValley evaluating lightweight backend database engines to provide a lighter version for home users with low spec hardware. When they are ready, there will not be a need of such swap tricks...

Hi Archanfel80,

As Antaris recommends, you might think of waiting for the alternative db backend work.

Sensei uses in-memory caching so I would worry that swap usage might degrade your system performance bad -- even if you are using SSD.

Still, if you want to go for it, Disable Health Check from Sensei: Configuration: Updates & Support, and you're all set.

[Archanfel80]

Thank You!
Both of you :)
I probably wait for the light version but i give it a try for the ssd swap just for testing. Its a low bandwidth system, just a few users, it might will be no problem. If yes we know its no good :)
Regards, Peter

[mdurkin]

Anyone having problems blocking YouTube using 0.8.0.beta7? I used app control but it has no effect. Other controls seem to work fine. It's a shame as its the reason I installed was to try this out!
Anyone else tried blocking YouTube?

[mayo]

Archanfel80 could you please make a step by step guide? I will try Sensei on my apu2c4...

thank you!

[Archanfel80]

Archanfel80 could you please make a step by step guide? I will try Sensei on my apu2c4...

thank you!

Hi!

On a 2c4 which have 4GB ram enough to use the default 2GB swap file. Just enable in the system-miscellaneous.
Make sure you have limited Sensei to 100 user maximum, and you have no problem.

[mayo]

Archanfel80 could you please make a step by step guide? I will try Sensei on my apu2c4...

thank you!

Hi!

On a 2c4 which have 4GB ram enough to use the default 2GB swap file. Just enable in the system-miscellaneous.
Make sure you have limited Sensei to 100 user maximum, and you have no problem.

Thank you so much! Will try in the afternoon!