My OPNSense has been crashing - maybe due to heat?
The OPNSense box logs to RAM, as I want to avoid disk usage as the box runs on NVMe / SSD. The logs on RAM get lost.
Here's how to setup basic remote logging to a local server running syslog-ng...
For a Linux log collector receiving logs from OPNsense, I am using syslog-ng versus the alternative rsyslog.
Why syslog-ng:
| Criterion | syslog-ng | rsyslog |
|---|---|---|
| OPNsense compatibility | Excellent. OPNsense itself uses syslog-ng internally. | Excellent |
| TLS support | Simple and mature | Mature but config is often more verbose |
| Filtering/routing | Very clean config model | Extremely powerful but more complex |
| Performance | Very high | Very high |
| Learning curve | Easier | Steeper |
| Future SIEM integration | Good with Graylog, Splunk, ELK, Wazuh | Good with Graylog, Splunk, ELK, Wazuh |
Step 1: Simple central logging server
sudo apt install syslog-ng
Step 2: Setup config
sudo vi /etc/syslog-ng/conf.d/opnsense.conf
As follows:
source s_opnsense {network(ip("0.0.0.0")port(514)transport("tcp"));};destination d_opnsense {file("/var/log/opnsense/${HOST}/${YEAR}-${MONTH}-${DAY}.log"create-dirs(yes));};log {source(s_opnsense);destination(d_opnsense);};
Note this does not use TLS, it is clear text over TCP so not suitable on anything but local networks.
Step 3: Setup OPNSense
System → Settings → Logging → Remote
Create a log destination:
- Transport: TCP(4)
- Applications: All (initially)
- Levels: All but debug
- Facilities: All
- Hostname: server IP / hostname
- Port: 514
- RFC2454: Check
Note: RFC5424 is a message format. It defines how syslog messages are structured (timestamp, hostname, app-name, structured data, etc.). It is compatible with syslog-ng and OPNsense, and is generally the best choice for firewall logging.
Feature | RFC3164 (legacy) | RFC5424 |
|---|---|---|
Timestamp precision | Low | High (ISO 8601) |
Structured fields | No | Yes |
App-name / proc-id | Limited | Explicit |
Parsing reliability | Weaker | Stronger |
SIEM compatibility | OK | Better |
Click Save
Click Apply
Step 4: On the server check the syslog-ng daemon is...
listening:
sudo ss -tlnp | grep 514
running:
sudo systemctl status syslog-ng
receiving packets from OPNSense:
sudo tcpdump -i any port 514 -A
Step 5: Make the log directory readable
sudo chmod -R 755 /var/log/opnsense
Step 6: Check the logs
ls /var/log/opnsense
tail -f /var/log/opnsense/${HOST}/${YEAR}-${MONTH}-${DAY}.log
Given this is for temporary debugging, logrotate has not been setup yet to archive and rotate the logs, more to come...
No comments:
Post a Comment
Note: only a member of this blog may post a comment.