Firewall logs real short?

wm408

I have my logs set to 200max entries.

The firewall logs in particular show a random number of log entries.  For example right now there are 9 entries.  Other times I may see 22, or 15, or 8.  But nowhere near the 200max.

On this hardware I have:

2.0.1-RELEASE (i386)
built on Mon Dec 12 18:24:17 EST 2011
FreeBSD 8.1-RELEASE-p6

Installed.

On another unit separate of this one, I have the same version of pfsense installed and it has firewall logs listing as they should.

Thoughts?

jimp

There could be many lines getting filtered out either as irrelevant or unparseable for some reason. Check the raw log (clog /var/log/filter.log) and see what shows up there and how it compares to the parsed version in the GUI

wm408

Hi Jimp.  You're right I think about "unparseable" logs.  For example, I had a lot of entries in /var/log/filter.log that were like this.

Mar 15 09:38:55 wbpf pf: 00:00:04.639905 rule 1/0(match): block in on em1: (tos 0xc0, ttl 2, id 0, offset 0, flags [none], proto EIGRP (88), length 60)
Mar 15 09:38:55 wbpf pf:     192.168.10.150 > 224.0.0.10:
Mar 15 09:38:55 wbpf pf:        EIGRP v2, opcode: Hello (5), chksum: 0xee68, Flags: [none]
Mar 15 09:38:55 wbpf pf:        seq: 0x00000000, ack: 0x00000000, AS: 100, length: 20
Mar 15 09:38:55 wbpf pf:          General Parameters TLV (0x0001), length: 12
Mar 15 09:38:55 wbpf pf:            holdtime: 15s, k1 1, k2 0, k3 1, k4 0, k5 0

Then I would have a more simple entry like this that does actually show in the GUI firewall log:

Mar 15 11:24:14 wbpf pf: 00:02:59.476224 rule 1/0(match): block in on em0: (tos 0x0, ttl 108, id 256, offset 0, flags [none], proto TCP (6), length 40)
Mar 15 11:24:14 wbpf pf:     218.22.87.214.6000 > 172.16.10.10.3389: Flags , cksum 0x2403 (correct), seq 1059782656, win 16384, length 0

Does the filter.log have a maximum size in bytes?  It looks like roughly 500K and it never seems to change.  It seems like a lot of the unparsables may be clearing the /var/log/filter.log and the GUI firewall log in a way, rolling over somehow?

@jimp:

There could be many lines getting filtered out either as irrelevant or unparseable for some reason. Check the raw log (clog /var/log/filter.log) and see what shows up there and how it compares to the parsed version in the GUI

jimp

For that, see http://doc.pfsense.org/index.php/Why_can%27t_I_view_view_log_files_with_cat/grep/etc%3F_%28clog%29

wm408

Ok.  Thanks Jimp.

@jimp:

For that, see http://doc.pfsense.org/index.php/Why_can%27t_I_view_view_log_files_with_cat/grep/etc%3F_%28clog%29