log file location
-
I replaced a HDD with a SSD in my pfSense. Everything good. Not thinking about my actions I turned on the feature to run VAR and TEMP in memory. After about 60 secs my pfSense box started spewing out of memory errors and basically the whole system came down for a couple of hours as I manually tried to undo my settings from the command line.
We have a 90 day log everything policy. But I also want to use the VAR in memory feature of BSD to reduce r/w to the SSD. Any chance to specify the location of the log files outside of VAR?
-
-
@papdee said in log file location:
I replaced a HDD with a SSD in my pfSense. Everything good. Not thinking about my actions I turned on the feature to run VAR and TEMP in memory. After about 60 secs my pfSense box started spewing out of memory errors and basically the whole system came down for a couple of hours as I manually tried to undo my settings from the command line.
We have a 90 day log everything policy. But I also want to use the VAR in memory feature of BSD to reduce r/w to the SSD. Any chance to specify the location of the log files outside of VAR?
Modern SSD drives do not suffer from the same write fatigue issues as the older first generation drives. So your concern of too many R/W cycles is not a major consideration anymore. The write cycles now correspond to a typical lifetime of a decade or perhaps more, even with fairly heavy writes.
The log file location is set in pfSense and not easily changeable. You could perhaps custom edit the PHP code in a lot places, but then all the changes would be undone with the next update. Beware that if you put
/varon a RAM disk, logs can be lost when the firewall reboots. That could cause you to not meet your retention policy.If you have a log retention policy, the best way to address that is an external logging box running something like ELK or graylog to ingest logs from pfSense. That way your log files on the pfSense box itself will be minimal. pfSense can use remote syslog to send the data to another host.
-
@bmeeks said in log file location:
Beware that if you put /var on a RAM disk, logs can be lost when the firewall reboots.
Does syncing to disk happen, either periodically or on shutdown/reboot?
I recently had a thread about RAM disk.
-
@jknott said in log file location:
@bmeeks said in log file location:
Beware that if you put /var on a RAM disk, logs can be lost when the firewall reboots.
Does syncing to disk happen, either periodically or on shutdown/reboot?
I recently had a thread about RAM disk.
Some logs are not sync'd. I don't know which specific pfSense system logs are or are not, but Snort, Suricata and certain pfBlockerNG files can be lost on a RAM disk when the firewall reboots. This is because these packages expect
/varand all the subdirectories under it to be persistent across any reboot.The general sentiment today is that with modern SSD drives the advantages of RAM disks are outweighed by the potential disadvantages.
If I've got just a personal home firewall, maybe RAM disks are fun. But even there some packages may not work reliably (such as Snort, Suricata and pfBlockerNG). If I am an enterprise or business with log retention requirements, I would be exporting logs off to another system and I would not use RAM disks.
-
@bmeeks said in log file location:
I would be exporting logs off to another system and I would not use RAM disks.
That's certainly easy enough to do. A symbolic link to another device or partition would do it.
-
@bmeeks tks for advice. Currently will leave VAR and TEMP on SSD and see if someone has setup a remote syslog I can utilize.
-
Most logs are sync'd to permenant storage at shutdown and restored at boot. Everything you can see in the gui at least. You only lose anything there if it powers off unexpectedly.
If you have your local logs set large enough to store 90 days or filter logs you would need a huge /var ramdisk. Probably impractically huge.
Yes, exporting the logs via syslog is the correct way to do this.
Steve
