Traffic logging

dnut

Hello there,
very often it happens I need to log all the traffic going through the Firewall for 30, 60 or even more days.

I actually use a syslog server, where similar logging is needed, and I check the option "Log packets that are handled by this rule" in the firewall rules.
This way logging works like a charm.

When I try to log traffic directly on Pf Sense local disk, doesn't matter the file size I set, I'm not able to log more than 24-48 hours.

Tested with SG-3100 with 32GB SSD option.

Any suggestions?

Very often it happens that the syslog server is not a viable option, due to lack of infrastructure/limited funds available.

johnpoz

You do understand the logs on pfsense are circular right, and they have a size setting (which you can adjust) to when they rollover.

https://doc.pfsense.org/index.php/Log_Settings
Log File Size (bytes): The size allocated for each circular log file. Defaults to 500KB per file. Described in more detail in Adjusting the Size of Log Files.

https://doc.pfsense.org/index.php/Why_can't_I_view_view_log_files_with_cat/grep/etc%3F_(clog)

If you need to keep your logs for specific amount of time be it 1 day, or 1000 I would suggest you send the logs to syslog server yes..  But you can adjust pfsense to make it easier to to view longer amount of logs on pfsense itself.

dnut

What I can't understand is why, using the syslog server, I can store 1 month of a typical specific environment traffic with more or less 4GB uncompressed data, while with pfSense local log to disk storage, even if I set the Firewall log size to 10GB I can't find data older than 2 days.

Am I missing something?

Thank you

johnpoz

Can not find it where?  The gui log is only going to show the last X number of entries.. No matter how big you make the file..

Also when you adjusted your log size from the default 500 did you read the NOTE.. Where you have to clear for the new size to take effect..

NOTE: Log sizes are changed the next time a log file is cleared or deleted. To immediately increase the size of the log files, first save the options to set the size, then clear all logs using the "Reset Log Files" option farther down this page.

Setting log files to 10G would be ALL log files, not just the filter.log so you could run out of space setting them too big..

Here I just modified mine to be 5MB in size each… After reset you can see in the dir they are all set to 5MB

[2.4.2-RELEASE][root@sg4860.local.lan]/var/log: ls -lah
total 88816
drwxr-xr-x  6 root        wheel        1.0K Feb  7 14:00 .
drwxr-xr-x  29 root        wheel        512B Jan 23 21:52 ..
-rw-r–r--  1 root        wheel        42K Sep 17 20:05 bsdinstall_log
-rw-------  1 root        wheel        4.8M Feb 16 13:30 dhcpd.log
-rw-r–r--  1 root        wheel        9.7K Jan 11 14:45 dmesg.boot
-rw-------  1 root        wheel        4.8M Feb 16 13:31 filter.log
-rw–-----  1 root        wheel        4.8M Feb 16 13:29 gateways.log
-rw-r–r--  1 root        wheel        10K Jan 23 13:06 haproxy.log
-rw-------  1 root        wheel        4.8M Feb 16 13:29 ipsec.log
-rw–-----  1 root        wheel        4.8M Feb 16 13:29 l2tps.log

<snipped>In your system log settings what does it show you for space of your log files… Here is mine after I adjusted to 5MB size

Disk space currently used by log files is: 94M Remaining disk space for log files: 20G</snipped>