Tons sshguard log entries and its not enabled

geovaneg

Good Morning @johnpoz !

Firewall logs are not mixed with system logs in the web interface.

johnpoz

@geovaneg yeah - it was my morning before coffee attempt at humor ;) heheh

stephenw10

Right now your only options there are larger logs and/or log less. You could probably go to 100MB files for the filter log easily. I have seen users with log file set in the GB. I would not recommend that though!

geovaneg

Hi @stephenw10

Let's try an ideal combination of the two.
But for today I'll just follow the behavior.

Thanks.

Geovane

geovaneg

Change of plans:

My quiet time dropped to less than 20 minutes in the last rotation, with the arrival of users on the wifi network.

I am changing the size of the log files to 100MB and the retention to 2 files.

geovaneg

Good morning gentlemen,

Thanks to you, we are evolving towards a satisfactory configuration.
I was looking for logs to disable and I noticed that the squid access logs are being written locally to the /var/log/nginx.log file and also to the /var/squid/logs/access.log folder.
Do you know if there's a way to solve this without affecting the sending to the remote server?
Note: I have the LightSquid package installed as well.

Thanks.

stephenw10

Hmm, nothing I'm aware of but I've never tried to solve that before. You mean prevent Squid writing to the nginx log? You certainly need local logging for LightSquid to work.

geovaneg

@stephenw10

Good Morning,

Yes, LightSquid uses log files from the "/var/squid/logs" folder. I reduced the space used by changing the retention of logs in the squid from 30 to 3 files.
Regarding the same logs that go to "/var/log/nginx.log" it seems that they are sent remotely to syslog, so there's not much to do there.

geovaneg

Sirs,

Thanks again for the suggestions.
I believe that we have reached a suitable configuration for our case.

I'll report the actions in case anyone finds this useful in the future:

PfSense 2.6.0 - FW/GW/Proxy wifi network approx 1300 daily users.
Logs are sent remotely for auditing purposes. Lots of filter logs!

Our final configuration to avoid "sshguard" spam looked like this:

• We increased log file size to 100MB;
• To avoid excessive disk consumption, retention has been changed to only two files in "log settings";

-rw------- 1 root wheel 97239550 Jul 14 11:35 filter.log
-rw------- 1 root wheel 102682474 Jul 13 16:16 filter.log.0
-rw------- 1 root wheel 102697059 Jul 13 11:31 filter.log.1

• To avoid the risk of unnecessary CPU consumption, log compression was disabled (UFS);
• We disabled the log packets matched from the default block rules in the ruleset to reduce the amount of system logs;
• We reviewed the other firewall rules and kept the logs strictly necessary;
• Also to avoid space consumption, squid log retention has been reduced from 30 to 3 files.

Thanks,

Geovane

noplan

ok run into same thing ...
gonna have a look into this

2.6CE

brNP