core icon indicating copy to clipboard operation
core copied to clipboard
verified publisher icon opnsense

Remote logging | Syslog kernel messages

Open SeimusS opened this issue 6 months ago • 1 comments

Important notices

Our forum is located at https://forum.opnsense.org , please consider joining discussions there in stead of using GitHub for these matters.

Before you ask a new question, we ask you kindly to acknowledge the following:

  • [X] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
  • [X] I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Hello,

I did setup a remote logging server from OPNsense to sent all of its logs to a remote logging server. This looks to be working fine, except OPNsense is not sending logs generated by the kernel. https://forum.opnsense.org/index.php?topic=47599.0

Issue: OPNsense doesn't sent kernel logs to remote logging server.

Description: Configuration of remote logging was done in OPNsense UI. But to check more deeper I looked into syslog-ng config files. There are two syslog-ng configuration files, one is for local logs one is for remote.

/usr/local/etc/syslog-ng.conf
/usr/local/etc/syslog-ng.conf.d/syslog-ng-destinations.conf

The local config has properly set which reads the klog to show the kernel logs within OPNsense file("/dev/klog" follow-freq(0) flags(no-parse) program-override("kernel"));

The remote config doesnt have this line. but it has defined a facility for kernel

filter f_aed08ccbbd1540978a983019be22d6d7_facility {
    facility(kern,user,mail,daemon,auth,syslog,lpr,news,uucp,cron,authpriv,ftp,ntp,security,console,local0,local1,local2,local3,local4,local5,local6,local7)
};

This however seems to not sending any kernel logs to remote syslog servers

Question: Is this properly configured to sent kernel messages from OPNsense to remote logging server? Shouldn't the remote syslog-ng config file contain as well the line to read and parse the klog?

Regards, S.

SeimusS avatar Jun 15 '25 10:06 SeimusS

The source selector (s_all) should capture the events, but maybe you can’t filter them property now. I have to try this on my end.

AdSchellevis avatar Jun 15 '25 14:06 AdSchellevis

@SeimusS the rename is acting as it should, but in order to capture the result, we should add "kernel" as application target on our end. https://github.com/opnsense/core/commit/025988147c99f168f4e7f1978e922f07c2157a8c should fix this.

AdSchellevis avatar Jul 20 '25 17:07 AdSchellevis

Many thanks @AdSchellevis !!!!!!

SeimusS avatar Jul 20 '25 17:07 SeimusS

@SeimusS this is extremely quick ;)

AdSchellevis avatar Jul 20 '25 17:07 AdSchellevis

Tested this and working flawlessly.

FIX made it into 25.7 (thank you!) Kernel messages now arrive properly to the syslog server

Image

You will need to click the new "kernel" option that appeared in the Application field. This will not be auto-enabled even if you had before selected All of the options.

Image

P.S. if somebody is interested about the syslog server I have its syslong-ng > promtail > loki > Grafana

SeimusS avatar Jul 26 '25 09:07 SeimusS