Firewall logs real short?
-
I have my logs set to 200max entries.
The firewall logs in particular show a random number of log entries. For example right now there are 9 entries. Other times I may see 22, or 15, or 8. But nowhere near the 200max.
On this hardware I have:
2.0.1-RELEASE (i386)
built on Mon Dec 12 18:24:17 EST 2011
FreeBSD 8.1-RELEASE-p6Installed.
On another unit separate of this one, I have the same version of pfsense installed and it has firewall logs listing as they should.
Thoughts?
-
There could be many lines getting filtered out either as irrelevant or unparseable for some reason. Check the raw log (clog /var/log/filter.log) and see what shows up there and how it compares to the parsed version in the GUI
-
Hi Jimp. You're right I think about "unparseable" logs. For example, I had a lot of entries in /var/log/filter.log that were like this.
Mar 15 09:38:55 wbpf pf: 00:00:04.639905 rule 1/0(match): block in on em1: (tos 0xc0, ttl 2, id 0, offset 0, flags [none], proto EIGRP (88), length 60)
Mar 15 09:38:55 wbpf pf: 192.168.10.150 > 224.0.0.10:
Mar 15 09:38:55 wbpf pf: EIGRP v2, opcode: Hello (5), chksum: 0xee68, Flags: [none]
Mar 15 09:38:55 wbpf pf: seq: 0x00000000, ack: 0x00000000, AS: 100, length: 20
Mar 15 09:38:55 wbpf pf: General Parameters TLV (0x0001), length: 12
Mar 15 09:38:55 wbpf pf: holdtime: 15s, k1 1, k2 0, k3 1, k4 0, k5 0Then I would have a more simple entry like this that does actually show in the GUI firewall log:
Mar 15 11:24:14 wbpf pf: 00:02:59.476224 rule 1/0(match): block in on em0: (tos 0x0, ttl 108, id 256, offset 0, flags [none], proto TCP (6), length 40)
Mar 15 11:24:14 wbpf pf: 218.22.87.214.6000 > 172.16.10.10.3389: Flags , cksum 0x2403 (correct), seq 1059782656, win 16384, length 0Does the filter.log have a maximum size in bytes? It looks like roughly 500K and it never seems to change. It seems like a lot of the unparsables may be clearing the /var/log/filter.log and the GUI firewall log in a way, rolling over somehow?
There could be many lines getting filtered out either as irrelevant or unparseable for some reason. Check the raw log (clog /var/log/filter.log) and see what shows up there and how it compares to the parsed version in the GUI
-
For that, see http://doc.pfsense.org/index.php/Why_can%27t_I_view_view_log_files_with_cat/grep/etc%3F_%28clog%29
-
Ok. Thanks Jimp.
For that, see http://doc.pfsense.org/index.php/Why_can%27t_I_view_view_log_files_with_cat/grep/etc%3F_%28clog%29