2
0
mirror of https://github.com/opnsense/docs synced 2024-11-05 06:00:36 +00:00
opensense-docs/source/manual/logging_firewall.rst
sjjh 2b805178bf
Update logging_firewall.rst: corrected format (bold, italic) (#473)
It seems no nested stars are supported, thus concatenated.
2023-05-19 07:38:00 +02:00

52 lines
2.9 KiB
ReStructuredText

==============
Log Files
==============
When troubleshooting problems with your firewall, it is very likely you have to check
the logs available on your system. In the UI of OPNsense, the log files are generally grouped
with the settings of the component they belong to. The log files can be found here:
================ ======================================================== =============================================================================
**Live View** :menuselection:`Firewall --> Log Files --> Live View` *View firewall logs in realtime, smart filtering can be applied*
**Plain View** :menuselection:`Firewall --> Log Files --> Plain View` *Just the plain contents how* **pf** *logs into* **filter.log**
================ ======================================================== =============================================================================
Live View
---------
Live view updates itself in realtime if a rule is matched that has logging enabled or one of the global logging options is enabled under:
:menuselection:`System --> Settings --> Logging`
In the top left corner of the page you can build filter conditions for rules to match when inspecting traffic, while
here you can select different fields (for example `label`, `src` address, `dst` address) and how to match them
(contains, is, is not, does not contain) combined with a criteria (either a string or a preselected value, depending on type).
The [+] button adds the the filter to the view.
By default results should match all criteria (AND), but you can change that to an any of criteria (OR). The latter is sometimes
practical if you want to track a small list of hosts.
Detailed information for a specific rule can be provided using the info button at the end of each line.
.. Tip::
The :code:`host` and :code:`port` fields are a bit special and apply to both source and destination, which makes sure that
traffic matched to and from a specific address or port are both matched.
.. Tip::
Usually a rule contains a :code:`rid` field which corresponds to the rule or setting in OPNsense responsible for this match,
when clicking on the link the system will try to redirect you to the correct setting (or rule).
.. Note::
The live log only shows rules that are matched by the firewall, in case a state is created the flow will be reported for the first packet,
as long as the state still exists no new lines will be reported for the same traffic flow.
If you need to inspect raw traffic, it's often practical to combine the live-log with the packet capture feature found under
interface diagnostics in the menu.
.. Note::
Since log lines are stored on the system without an exact match to the rule in question, we do need to translate the sequence
in the file back to the rule definition stored in the system. Due to this fact, the information is less accurate
historically if the firewall was reconfigured. (labels may be incorrect when looking at older data)