volume for /var/log full
-
As you can see I have a full /var volume and plenty of space on the hdd.
[2.4.4-RELEASE][admin@pfsense]/home/admin: df -h Filesystem Size Used Avail Capacity Mounted on /dev/ufsid/5c162167a0674520 7.2G 1.0G 5.6G 16% / devfs 1.0K 1.0K 0B 100% /dev /dev/md0 62M 592K 56M 1% /tmp /dev/md1 96M 96M -7.7M 109% /var devfs 1.0K 1.0K 0B 100% /var/dhcpd/dev
What is the best procedure to move /var/log over to the other device?
-
Actually the SSD is 16GB, thus I should even have unassigned disk space to use for logging...
smartctl 6.6 2017-11-05 r4594 [FreeBSD 11.2-RELEASE-p10 amd64] (local build) Copyright (C) 2002-17, Bruce Allen, Christian Franke, www.smartmontools.org === START OF INFORMATION SECTION === Device Model: SanDisk SSD i110 16GB Serial Number: 141000123960 LU WWN Device Id: 5 001b44 0dfd82238 Firmware Version: i221000 User Capacity: 16,013,942,784 bytes [16.0 GB] Sector Size: 512 bytes logical/physical Rotation Rate: Solid State Device Form Factor: 1.8 inches Device is: Not in smartctl database [for details use: -P showall] ATA Version is: ACS-2 T13/2015-D revision 3 SATA Version is: SATA 3.0, 6.0 Gb/s (current: 6.0 Gb/s) Local Time is: Sat Feb 29 22:35:46 2020 EST SMART support is: Available - device has SMART capability. SMART support is: Enabled
-
You have enabled RAM disks for
/var
and/tmp
(System > Advanced, Misc tab)Either increase the amount of space allocated for
/var
there, or disable RAM disks so/var
will be on the disk and not in RAM. -
@jimp Thanks very much.
I have amply room to increase the RAM disk, and am now back down to 11% usage. -
I had/have a similar problem with /var (on RAM disk) suddenly filling up. In my case it looks like Snort is the cause, even though it's configured to keep the logs at max. 100 MB. Re saved the Snort Config and the space got cleared. Let's see if it appears again.
-
@FreeMindedCH said in volume for /var/log full:
Let's see if it appears again.
Be carefull : from what I understood, a check is made every DAY. In one day snort can do much more as 100 Mbytes ....
( and if the checking code code doesn't work well, your disk/partition fills up, and take down your system )Anyway : if you use snort, no choice, you have to check yourself far more as ones a day the snort logs - and while your at it, the logs total size, because why would you log that much if you don't check it yourself ??
-
@Gertjan thanks for pointing that out. I had installed Snort approx. 2 years ago and never really started using it. It started becoming an issue only a few weeks ago. I have no idea what has changed.
-
Yes, be sure to set the total log size limit in Snort as well as the individual log limits to prevent duplicate files filling the drive.