How to filter Firewall log by time
-
Thank NOYB,
I want to filter in the GUI (Status -> System Logs -> Firewall -> Normal View).
please help me,
-
Thank NOYB,
I want to filter in the GUI (Status -> System Logs -> Firewall -> Normal View).
please help me,
I know that is what you want. And I will try to help you with that if you provide information requested.
-
Thank NoYB
grep -iEn "Nov +7" /var/log/filter.log
For example:
196998:Nov 7 13:38:48 fw_pfsense filterlog: 105,16777216,,1478051386,re2,match,pass,in,4,0x0,,127,4878,0,none,17,udp,63,192.168.1.100,10.0.0.11,57034,53,43
196999:Nov 7 13:38:48 fw_pfsense filterlog: 64,16777216,,1000003715,re1,match,pass,out,4,0x0,,126,4878,0,none,17,udp,63,192.168.1.100,10.0.0.11,57034,53,43
197000:Nov 7 13:38:48 fw_pfsense filterlog: 105,16777216,,1478051386,re2,match,pass,in,4,0x0,,127,4879,0,none,17,udp,63,192.168.1.100,10.0.0.11,54723,53,43
197001:Nov 7 13:38:48 fw_pfsense filterlog: 64,16777216,,1000003715,re1,match,pass,out,4,0x0,,126,4879,0,none,17,udp,63,192.168.1.100,10.0.0.11,54723,53,43
197002:Nov 7 13:38:48 fw_pfsense filterlog: 206,16777216,,1477384617,re1,match,pass,in,4,0x0,,128,11084,0,none,17,udp,74,10.0.0.11,8.8.8.8,60216,53,54
197003:Nov 7 13:38:48 fw_pfsense filterlog: 64,16777216,,1000003715,re0,match,pass,out,4,0x0,,127,11084,0,none,17,udp,74,10.0.0.11,8.8.8.8,60216,53,54grep -iEc " " /var/log/filter.log
2447645 -
Perfect. That is what was needed. Can now tell you exactly why it is not working.
The Web GUI Advanced Filter is restricted to most recent 10,000 log records. Those Nov 7 records are probably from a previous year and thus are not within the most recent 10,000 log records.
I had recently proposed to remove the restriction. But it was opted to just raise it from 5,000 to 10,000 instead. 10,000 is sufficient for most typical use. But there are a few situations like this where it is not.
Here is the bug report with links to forum thread:
https://redmine.pfsense.org/issues/6652 -
Thank NOYB,
so, do I have to update Version 2.3.2_1? Is the problem resolving?
-
No. _1 does not change this.
You need you reduce the log file size.
If more history is required an external log server is typically used.
-
If more history is required an external log server is typically used.
-> The problem is not resovling, is it?
Tks
-
There is currently no proposed code change for this.
The solution is to reduce the log file size and use an external log server if longer term log history of more than 10,000 records is required.
-
Thank NOYB,
The solution is to reduce the log file size and use an external log server if longer term log history of more than 10,000 records is required.
Change the maximum log file size to what You recommended? What is the maximum?
Thank you so much!
-
I do not know your requirements and do not have a recommendation for you.
I can only tell you what I use. Whether or not it is appropriate for you is something you will have to decide.
I use the default log file size.