How to filter Firewall log by time

trungnt · Nov 5, 2016, 12:59 AM

Hi all,

I access this Status -> System Logs -> Firewall -> Normal View, I can't filter log by time,

Please, held me.

Tks

NOYB · Nov 5, 2016, 9:04 AM

Think you can.

It appears there is a leading space for single digit day of month.
So for single digit day of month insert an additional space between the month and day of month.

Also remember. These are regular expressions. So one could also do something like "Nov +4".

trungnt · Nov 7, 2016, 3:01 AM

Thank you, NOYB,

I try it but not OK,
1. for example: single digit day of month but not day.
2. insert an additional space between the month and day of month is not ok
3. So one could also do something like "Nov +4" is not OK (No logs to display.)

Please help me!

NOYB · Nov 7, 2016, 3:14 AM

What version pfSense?

Do an unfiltered log, then test time filter with the month and day of one that exists.

For example Nov +6

You didn't include the quotes did you?

What is the exact string you are entering into the filter time field?

trungnt · Nov 7, 2016, 5:29 AM

Dear NOYB,

The pfsese version is Latest Stable Version 2.3.2

You didn't include the quotes did you? -> yes, i did. I didn't include the quotes.

What is the exact string you are entering into the filter time field? Nov +7 (nowaday), but is not OK,

Tks

NOYB · Nov 7, 2016, 6:08 AM

What is the line number of the first matching filter log record from this shell command?


grep -iEn "Nov +7" /var/log/filter.log

How many records (lines) are in the filter log?


grep -iEc " " /var/log/filter.log

trungnt · Nov 7, 2016, 8:56 AM

Thank you NOYB,

grep -iEn "Nov +7" /var/log/filter.log -> OK
grep -iEc " " /var/log/filter.log -> OK

But i want to filter in the GUI (Status -> System Logs -> Firewall -> Normal View)

NOYB · Nov 7, 2016, 10:18 AM

Yes I know. Those are trouble shooting steps. Not asking for ok. Asking for the results.

trungnt · Nov 8, 2016, 1:39 AM

Thank NOYB,

I want to filter in the GUI (Status -> System Logs -> Firewall -> Normal View).

please help me,

NOYB · Nov 8, 2016, 2:01 AM

@trungnt:

Thank NOYB,

I want to filter in the GUI (Status -> System Logs -> Firewall -> Normal View).

please help me,

I know that is what you want. And I will try to help you with that if you provide information requested.

trungnt · Nov 8, 2016, 2:48 AM

Thank NoYB

grep -iEn "Nov +7" /var/log/filter.log

For example:

196998:Nov 7 13:38:48 fw_pfsense filterlog: 105,16777216,,1478051386,re2,match,pass,in,4,0x0,,127,4878,0,none,17,udp,63,192.168.1.100,10.0.0.11,57034,53,43
196999:Nov 7 13:38:48 fw_pfsense filterlog: 64,16777216,,1000003715,re1,match,pass,out,4,0x0,,126,4878,0,none,17,udp,63,192.168.1.100,10.0.0.11,57034,53,43
197000:Nov 7 13:38:48 fw_pfsense filterlog: 105,16777216,,1478051386,re2,match,pass,in,4,0x0,,127,4879,0,none,17,udp,63,192.168.1.100,10.0.0.11,54723,53,43
197001:Nov 7 13:38:48 fw_pfsense filterlog: 64,16777216,,1000003715,re1,match,pass,out,4,0x0,,126,4879,0,none,17,udp,63,192.168.1.100,10.0.0.11,54723,53,43
197002:Nov 7 13:38:48 fw_pfsense filterlog: 206,16777216,,1477384617,re1,match,pass,in,4,0x0,,128,11084,0,none,17,udp,74,10.0.0.11,8.8.8.8,60216,53,54
197003:Nov 7 13:38:48 fw_pfsense filterlog: 64,16777216,,1000003715,re0,match,pass,out,4,0x0,,127,11084,0,none,17,udp,74,10.0.0.11,8.8.8.8,60216,53,54

grep -iEc " " /var/log/filter.log
2447645

NOYB · Nov 8, 2016, 3:49 AM

Perfect. That is what was needed. Can now tell you exactly why it is not working.

The Web GUI Advanced Filter is restricted to most recent 10,000 log records. Those Nov 7 records are probably from a previous year and thus are not within the most recent 10,000 log records.

I had recently proposed to remove the restriction. But it was opted to just raise it from 5,000 to 10,000 instead. 10,000 is sufficient for most typical use. But there are a few situations like this where it is not.

Here is the bug report with links to forum thread:
https://redmine.pfsense.org/issues/6652

trungnt · Nov 8, 2016, 4:45 AM

Thank NOYB,

so, do I have to update Version 2.3.2_1? Is the problem resolving?

NOYB · Nov 8, 2016, 5:03 AM

No. _1 does not change this.

You need you reduce the log file size.

If more history is required an external log server is typically used.

trungnt · Nov 8, 2016, 5:40 AM

If more history is required an external log server is typically used.

-> The problem is not resovling, is it?

Tks

NOYB · Nov 8, 2016, 5:54 AM

There is currently no proposed code change for this.

The solution is to reduce the log file size and use an external log server if longer term log history of more than 10,000 records is required.

trungnt · Nov 8, 2016, 7:19 AM

Thank NOYB,

The solution is to reduce the log file size and use an external log server if longer term log history of more than 10,000 records is required.

Change the maximum log file size to what You recommended? What is the maximum?

Thank you so much!

NOYB · Nov 8, 2016, 7:30 AM

I do not know your requirements and do not have a recommendation for you.
I can only tell you what I use. Whether or not it is appropriate for you is something you will have to decide.
I use the default log file size.