Keep More Logs for Firewall Rules

Bambos

Hello everyone, i would like to keep more firewall logs and i can't find any setting for that besides the log file size. For example:

This widget is set to show the last 10 logs, and shows only 1.

This is because there is no more logs, i have checked also in Status -> system logs -> firewall.

Any suggestions much appreciated.

johnpoz

@bambos did you turn off default logging, what are your firewall rules on your interfaces?

That is a pass log, maybe that is the only traffic you have seen - source of that traffic is rfc1918.. Did you turn that logging off?

Bambos

@johnpoz hello ! this is ticked (to log) packets matched from default block rules, and also further below is ticked to log from bogon and private networks.

I don't see how this is a problem, since the logging of this pass rule is happening, (i have enable this by ticking the logging on the firewall rule.

As you can see in previous screenshot, we have logged the last entry succesfully but not the previous entry which was 3 hours ago. This is what i'm asking, how to increase this. Is it the log file size under system logs -> firewall -> normal view -> settings icon ?

johnpoz

@bambos can we see the rest of your firewall rules? Maybe you put a rule or had a rule that blocked and didn't log.. The source is rfc1918, by default on a wan there is a block rfc1918 rule - if you turned off logging of that - then you wouldn't see that its blocked, etc.

stephenw10

Yes, you can just increase the log file size there.

That first screenshot shows only one entry because it's filtered, not because nothing is being logged. In fact enough is being logged that that there are fewer than 3hrs of firewall logs retained by default.

Steve

Bambos

@johnpoz hello john, yes this is a private APN over 4G , this interface i have it to block bogon but not private, because the use 172.XX range.
This is all i use

In the logs i have many blocks (bogon) normally.

There is no issue there. I Just want to have more of that allow rule that i'm interested more.
If you remember some hours ago we had a log, now there is none.

This is what i'm asking, to get more history of that allow rule.
(Widget is set to 10), in the firewall logs, if i apply the pass filter on that interface shows none, not even the one we had some hours ago. I hope now is clear.

Bambos

@stephenw10 Hello Steve, so the blocking logs overflow the maximum file size and then logs start to be overwritten, if i understand correctly ?

If we say that we don't care about the blocking logs, can be disabled and keep focus on allow only ?

johnpoz

@bambos said in Keep More Logs for Firewall Rules:

can be disabled and keep focus on allow only ?

Yes you can just disable the logging of the bogon and the default.. And then just log via the rules you want.

stephenw10

Yes, exactly . The traffic hitting the bogons rule is all going to be that same IGMP I imagine and that's not really at all useful to log. So just stop logging traffic on the bogons rule and you will have far more log space/time.

Steve