UNOFFICIAL GUIDE: Have Package Logs Record to a secondary SSD drive Snort Syslog Squid and or Squid cache system

JonathanLee · Jan 5, 2025, 6:06 AM

Hello fellow Netgate community members I wanted to share this guide with you because everyone has always been so helpful to me. If you seen anything wrong with it please reply.

WARNING IF YOU DO NOT KNOW WHAT YOU ARE DOING YOU CAN BREAK PFSENSE BAD WITH GPART SO MAKE SURE YOU ARE WORKING WITH THE CORRECT DRIVE.

For the duration of the guide nda0 is my NVMe drive that is installed over a mPCIE to M.2 adapter with an Intel Optane H10 SSD drive.

What this guide does is explain how to utilize a different drive for Squid logs and or other logs such as syslog and Snort logs.

Drive Partitions folder generation user permissions:

for our secondary drive I will use freebsd-ufs over GPT

First we need to partition our drive with gpart I am using a drive that already is configured as GPT with a swap partition so I am adding a partition.

if you have not added a gpt here is the command

gpart create -s GPT nda0

if you want to add a swap to use on this drive also

gpart add -t freebsd-swap -a 1M -s 8GB -l swapUSB nda0

Ok here is the add command for the partition we will use keep in mind mine is nda0p2 because I have a swap also that is nda0p1

gpart add -t freebsd-ufs -s 230GB -l LOG nda0
newfs_msdos /dev/nda0p2

now we need to create a mount point before we mount the drive
I am using nvme/LOGS_Optane

mkdir -p /nvme/LOGS_Optane

Next we will have to change the ownership of this so Squid can write and access this before we mount the drive. We must do this before or it will not work at all.

chown -R squid:proxy /nvme/LOGS_Optane
#   -->  after we must change the privileges 
chmod 775 /nvme/LOGS_Optane

now lets mount the SSD as msdos so we can write to it inside of pfsense

mount_msdosfs /dev/nda0p2 /nvme/LOGS_Optane

Now we can simply create new folders inside this for our needs.

I want one for Squid Dump files, one for logs and one for syslogs.

mkdir /nvme/LOGS_Optane/syslog-ng
mkdir /nvme/LOGS_Optane/Squid_Logs
mkdir /nvme/LOGS_Optane/Squid_Dump

Now that we have our folders run a ls -l to check to make sure they show the right ownership

Shell Output - ls -l /nvme/LOGS_Optane
total 192
drwxrwxr-x  1 squid  proxy  32768 Jan  4 20:25 Squid_Dump
drwxrwxr-x  1 squid  proxy  32768 Jan  4 20:25 Squid_Logs
drwxrwxr-x  1 squid  proxy  32768 Jan  4 21:23 syslog-ng

Possible Errors:
if you do not change your ownership you will have errors like this

Jan 4 21:05:02	(squid-1)	58832	FATAL: Cannot open '/nvme/LOGS_Optane/Squid_Logs/access.log' for writing. The parent directory must be writeable by the user 'squid', which is the cache_effective_user set in squid.conf.
Jan 4 21:04:47	(squid-1)	48353	FATAL: Cannot open '/nvme/LOGS_Optane/Squid_Logs/access.log' for writing. The parent directory must be writeable by the user 'squid', which is the cache_effective_user set in squid.conf.
Jan 4 21:04:33	(squid-1)	667	FATAL: Cannot open '/nvme/LOGS_Optane/Squid_Logs/access.log' for writing. The parent directory must be writeable by the user 'squid', which is the cache_effective_user set in squid.conf.

Squid Package Changes:

Ok now they are ready to be used change your Squid package here
login-to-view
Now we will add a custom rule so we can dump core files for Squid. Yes Squid can dump files too, well only if we tell it where to dump them.
login-to-view

Now check your logs you should not see errors if you do check your permissions however to change them you must fist change squid back to /var/squid/logs and after force unmount the drive

to unmount

umount -f /nvme/LOGS_Optane

after it is unmounted change the permissions and try again to remount run this again

mount_msdosfs /dev/nda0p2 /nvme/LOGS_Optane

SYSLOG PACKAGE:
Now that it is working change your syslog-ng also if you want

login-to-view

CRON JOB FOR DRIVE AUTO-MOUNT WITH EVERY REBOOT:

create a cron job so that the drive is mounted every reboot here:

login-to-view

Now check your folder that you use as mount it should show logs being generated now and this can help save your pfsense SSD in the long run.

login-to-view

SNORT LOGS:

Also say you want Snort logs to go to your new drive

you fist have to disable Snort and delete the contents of the /var/log/snort
If you dont it will not let you create a symbolic link, it is ok if you go back just delete the symbolic link and Snort will regenerate the old location log folders

#delete the old folder
rm -r /var/log/snort

next create a symbolic link to that old location so it just records to the new drive:

#if you need to create the folder on your drive do so like this
mkdir /nvme/LOGS_Optane/snort

#create new link to drive that is mounted
ln -s -F /nvme/LOGS_Optane/snort /var/log/snort

That is it after check to see the new folders being generated and created in logs.

login-to-view

Check Drive Paritions if needed
We can check gpart to see our partitions also with

gpart show nda0

login-to-view

SQUID CACHE:

Next if you want to also run your cache off of your secondary drive you can do that also.

Create a new folder example:

mkdir /nvme/LOGS_Optane/Squid_Cache

after change your cache path here

login-to-view

Check to see if it is generating the new cache in system logs

Jan 6 08:56:00	php-fpm	664	/pkg_edit.php: [squid] Starting service...
Jan 6 08:55:21	php-fpm	664	/pkg_edit.php: [squid] Creating Squid cache subdirs in /nvme/LOGS_Optane/Squid_Cache ...
Jan 6 08:55:21	php-fpm	664	/pkg_edit.php: [squid] Will NOT delete cache dir '/nvme/LOGS_Optane/Squid_Cache' since it is not located under /var/squid. Delete manually if required.
Jan 6 08:55:20	php-fpm	664	/pkg_edit.php: [squid] Removing freshclam cronjob.
Jan 6 08:55:20	php-fpm	664	/pkg_edit.php: [squid] Antivirus features disabled.
Jan 6 08:55:20	php-fpm	664	/pkg_edit.php: [squid] Adding cronjobs ...
Jan 6 08:55:20	php-fpm	664	/pkg_edit.php: [squid] - squid_resync function call pr: bp: rpc:no
Jan 6 08:55:20	php-fpm	664	/pkg_edit.php: The command '/usr/local/etc/rc.d/squid.sh stop' returned exit code '1', the output was '2025/01/06 08:55:14| ERROR: Directive 'dns_v4_first' is obsolete.'
Jan 6 08:55:02	php-fpm	664	/pkg_edit.php: [squid] Stopping any running proxy monitors
Jan 6 08:55:02	php-fpm	664	/pkg_edit.php: [squid] Deleting Squid cache dir '/var/squid/cache' since 'Hard Disk Cache Location' changed to '/nvme/LOGS_Optane/Squid_Cache'.
Jan 6 08:55:02	check_reload_status	496	Syncing firewall

After this check your folder

login-to-view

You should see your cache populate and swap.state values increasing

Any recommendations please reply, This is unofficial.

JonathanLee · Jan 5, 2025, 6:12 AM

@JonathanLee To test unmount the drive after you change it back to /var/squid/logs and notice all the files are no longer listed in the mount point they are saved to the drive. Remount it should come back. That is how you know it is done correctly.

I use to play with FDISK back in the DOS 3.11 days when FAT and FAT16 were king. This is improved a lot back in those days it would take time to generate new portions on drives. So be careful it is quick and breaks stuff if you are not watching.

If anyone knows what he permissions should be set to please let me know.

JonathanLee · Jan 6, 2025, 5:51 PM

This post is deleted!

JonathanLee · Jan 6, 2025, 5:56 PM

This post is deleted!

JonathanLee · Jan 6, 2025, 5:58 PM

Why do this? because it cuts down use of the primary SSD that is used by pfSense, if a log/cache drive fails it will not take out your system as you can replace it without having to reload all of pfSense. It lets the system last longer by way of less rewrites on the m.2 drive

JonathanLee · Jan 6, 2025, 7:07 PM

For all of this unofficial guide
UPDATE:

WARNING: Per recommendations use a different mount point mnt is used during upgrades so create a custom location to do this with

I created a new location /nvme/LOGS_Optane to use in place of mnt

Do not use mnt as a mount point create a custom location.

Some photos you can still see mnt just ignore them and replace that with name