Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Reducing log noise?

    Scheduled Pinned Locked Moved General pfSense Questions
    3 Posts 3 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G Offline
      gertty
      last edited by

      Sorry for starting a new topic. I would have replied to this: https://forum.pfsense.org/index.php?topic=39960.0, but the forum software does not give me "reply" as an option on that thread.

      I've read that thread I understand the out of state conditions like TCP:RA being logged. This post is more to a usability problem:
      When I check my logs, nearly all of the traffic on the "Last 50 Firewall Log Entries." view is two local devices phoning home. I have an "things" subnet for devices like home automation devices. These only need to talk out to the Internet. With the current behavior of logging out of state packets, "my Last 50 Firewall Log Entries" is basically useless. Any log line I would like to investigate rolls off the end.

      Is there a different way to solve this problem? Should I looking at a different log file or running it thru a log analyzer of some sort? What do others do to separate these out from potentially "interesting" log lines quickly?

      1 Reply Last reply Reply Quote 0
      • K Offline
        kpa
        last edited by

        Create a separate block rule without logging for the uninteresting traffic that matches the traffic before any default block rule or other rule matches it. This way the traffic never gets logged.

        1 Reply Last reply Reply Quote 0
        • DerelictD Offline
          Derelict LAYER 8 Netgate
          last edited by

          And, for quick and dirty log searches, you can exclude multiple patterns with filters like this:

          !pattern1|pattern2

          This works in any field such as !80|443 in destination port.

          And there's always clog /var/log/filter.log | grep any_regex_you_want

          There's a link to PCRE docs on the log filter page if you're feeling randy.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.