On 05/02/2024 13:38, Mathias Jeschke wrote:
Bo Berglund wrote:
I mean the logs being produced from these server.conf lines:
status /etc(openvpn/log/openvpn-status.log
log /etc(openvpn/log/openvpn.log
verb 4
Why do you insist on using legacy file based logs? Systemd's journal has
much better options to filter/display log messages.
And the best - it's enabled by default on systemd based systems.
On top of that, using the --log option writing to file may impact
OpenVPN's tunnel performance if there are issues writing log events to
disk - because OpenVPN 2.x is single-threaded, so that happens in
between parsing all the tunnel traffic, authentication and everything
else it does.
When OpenVPN calls the syslog() call, the kernel ensures the log event
is sent to the proper logging service (systemd-journald, rsyslog,
syslog, etc) without delaying too much.
You can omit some of these performance issues by enabling DCO (kernel
based OpenVPN Data Channel Offload) .... but then you need OpenVPn 2.6+.
And just a few examples using journalctl ...
- Get the logs for the OpenVPN server config tun0.conf, just the last 4
hours of log data
# journalctl -u openvpn-server@tun0 --since -4h
- Similar to above, but "grep" for a specific IP address
# journalctl -u openvpn-server@tun0 --since -4h -g 192.168.0.1
- Retrieve log events between 8 and 4 hours back in time
# journalctl -u openvpn-server@tun0 --since -8h --until -4h
- Retrieve the first 100 log events happening yesterday
# journalctl -u openvpn-server@tun0 --since yesterday -n 100
- Retrieve the log events for a specific PID
# journalctl _PID=12345
- Retrieve log events sent from any "openvpn" process since the last
boot
# journalctl -b-1 SYSLOG_IDENTIFIER=openvpn
- Similar to the above, but only list log events from a specific PID
in addition
# journalctl -b-1 SYSLOG_IDENTIFIER=openvpn + _PID=12345
All of these examples can be combined. And even more possibilities exists.
And of you add -o json-pretty ... you get to see all the additional meta
data information you can match on.
If it's important for you to preserve log events for a longer time,
ensure /etc/systemd/journald.conf has enabled Storage=persistent ...
that will store all log events to disk, in the binary journal format.
Otherwise it's memory-only logging.
And the systemd-journald has built-in log rotation, where you can define
how much disk space the logs can consume. Once it reaches that limit,
it starts removing the oldest log data. You may also want to consider
ensuring log compression is enabled too.
That's why the --log option in OpenVPN should be avoided. It has poorer
performance, you need to do log rotation manually (requiring the openvpn
to get reloaded, which interrupts tunnel) and without a quite powerful
log query tool.
--
kind regards,
David Sommerseth
OpenVPN Inc
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
