Reducing log noise?



  • Sorry for starting a new topic. I would have replied to this: https://forum.pfsense.org/index.php?topic=39960.0, but the forum software does not give me "reply" as an option on that thread.

    I've read that thread I understand the out of state conditions like TCP:RA being logged. This post is more to a usability problem:
    When I check my logs, nearly all of the traffic on the "Last 50 Firewall Log Entries." view is two local devices phoning home. I have an "things" subnet for devices like home automation devices. These only need to talk out to the Internet. With the current behavior of logging out of state packets, "my Last 50 Firewall Log Entries" is basically useless. Any log line I would like to investigate rolls off the end.

    Is there a different way to solve this problem? Should I looking at a different log file or running it thru a log analyzer of some sort? What do others do to separate these out from potentially "interesting" log lines quickly?



  • Create a separate block rule without logging for the uninteresting traffic that matches the traffic before any default block rule or other rule matches it. This way the traffic never gets logged.


  • Netgate

    And, for quick and dirty log searches, you can exclude multiple patterns with filters like this:

    !pattern1|pattern2

    This works in any field such as !80|443 in destination port.

    And there's always clog /var/log/filter.log | grep any_regex_you_want

    There's a link to PCRE docs on the log filter page if you're feeling randy.