How long entry should be found in the logs
-
Hello all,
I ran a test at around 7 pm tonight and was able to see destination port via System Logs/Firewall
Now roughly 45 min later - I see no traces of the same port in the logs. Wow
I see in logs settings GUI Log Entries=50, but it sounds like only on UI.
I expect to be able to see ALL entries within file size settting 500 MB.
I see ‘Disk space currently used by log files is: 295M’ it should be more then 45 mins saved I hope ?!
(And yes I do have “Log packets that are handled by this rule” enabled for the rule tested)What am I missing ?
Thx
-
That page has a config option that allows you to override the defaults. If you want to see more than 50 items, then increase the value for GUI Log Entries.
-
If you change the size of the log files, you have to reset the logs so they are recreated with the new size. Also 500MB is probably way too large for the logs. There are ~20 logs so 500MB will use 10GB of disk space just for logs.
If you are concerned about log-term log storage, feed the logs to an actual log processing and storage host via syslog.
-
This was not what I was asking
Is it long enough 45 min later for an entry in the logs to disappear ?
Thx
-
There is no way to answer that question. That entirely depends on how busy the log file is. If the file rarely gets entries, it could have things that are days old. If it has a lot of activity, it could only contain seconds worth of data.
The logs are binary circular logs that only retain a set number of records. Older entries scroll off.
-
OK here is the test:
I ran Acme update using NAT/FW rule to odd port XYZ.
Enable 2000 (max in logs UI)Jan 31 08:14:53 WAN (1547600972) 34.213.106.112:32920 192.168.90.1:XYZ TCP:S
Note time stamp 08:14:53
Now 8:38 and via Status/System Logs/Firewall/Normal View filter for XYZ shows nothing!???
Here is my log settings https://snag.gy/i93vVZ.jpg
-
Re-read my last post again. Time means nothing. Entries and how busy the logs are governs that.
If you need to know long-term log contents, use a real syslog server, don't use the logs on the firewall itself.
-
Very confusing but ok, thx !
Case to have real syslog server