They all can be run with ram disks but you need to use care doing so. I have Snort and pfBlocker running with ram disks on a 3100 here and it's fine. But I have selected only a few lists/signatures. Generally Snort and Suricata should not be and that's coming from the packages maintainer.

pfSense 25.11 - you added leases logs and kea won't start : read on : kea 4 and 6 won't start if the file output folder is /var/log/. It has to be /var/log/kea/ [25.11-RELEASE][root@pfSense.bhf.tld]/var/log: 2025-12-15 10:40:05.854 FATAL [kea-dhcp-ddns.dctl/81131.0x1437a5275010] DCTL_CONFIG_FILE_LOAD_FAIL DhcpDdns reason: Configuration parsing failed: invalid path in `output`: invalid path specified: '/var/log', supported path is '/var/log/kea' (/usr/local/etc/kea/kea-dhcp-ddns.conf:39:13) Service failed: Could Not load configuration file: Configuration parsing failed: invalid path in `output`: invalid path specified: '/var/log', supported path is '/var/log/kea' (/usr/local/etc/kea/kea-dhcp-ddns.conf:39:13) So, again, this is only valid for suckers like me that use the JSON mod 'leases log' as proposed above. Solution : mkdir /var/log/kea Change "output": "/var/log/kea-dhcp-leases.log", for "output": "/var/log/kea/kea-dhcp-leases.log", Save, Apply, and back to the coffee dispenser.

@JonathanLee said in UNOFFICIAL GUIDE: Have Package Logs Record to a secondary SSD drive Snort Syslog Squid and or Squid cache system: ln -s -F /nvme/LOGS_Optane/snort /var/log/snort Also you can do this with suricata. /var/log/suricata remove this mkdir /nvme/LOGS_Optane/suricata ln -s -F /nvme/LOGS_Optane/suricata /var/log/suricata

https://redmine.pfsense.org/issues/15874 https://redmine.pfsense.org/issues/15873 Thanks!

I know what your thinking, Big deal, I got logs in pfSense, But here the issue is, most often you will be running your AP in bridge mode and having pfSense hand out the DHCP addresses, and if your in bridge mode not much info on whats connecting to the NAS internally behind the firewall is ever seen on the firewall logs. This gives you a level of visibility not normally seen within pfSense unless it is configured. Again if you can do it with one AP you can do it with an alias for many APs on a bigger network. This gives you more information into possibile mac spoofing and unauthorized access. If you use remote access and Dynamic DNS for your network, you can see the firewall logs and the AP logs as well.

@Bob-Dig said in System Logs / Firewall Not Logging: You are right, I also can't see it. I call @johnpoz Ooops, now I see it... was to late for me that day.

@michmoor said in Graylog server on a raspberry pi: The 'count' in your charts. Should we assume thats how many sessions were created on the firewall, i.e. how many times a packet hit that rule? Based on what I've observed so far, this would be the same thing you would see in System logs > Firewall in Pfsense logs. Since its a game, it is probably using UDP, right? I never played Roblox.. So I can't tell. You can click the play button inside this chart to take a look at each of those entries to check.

Downtime at my house is not a thing. It has been booted after this started and has only been up 23 days... embarrassingly short time... I just now got around to asking if there is a way to stop it. Thank you for the suggestions.

@kiokoman Ugh, thank you! Working now!

RRD intentionally aggregates data into larger intervals as the data gets older. The monitoring graphs are intended to provide troubleshooting information, not be a high-resolution, historical archive. For that you can query the device using something like cacti or zabbix or a plethora of others. Setting 8 hours x 1 minute resolution is pretty comprehensive. Anything longer than 8 hours and the resolution will be reduced.