How to filter Firewall log by time



  • Hi all,

    I access this Status -> System Logs -> Firewall -> Normal View, I can't filter log by time,

    Please, held me.

    Tks



  • Think you can.

    It appears there is a leading space for single digit day of month.
    So for single digit day of month insert an additional space between the month and day of month.

    Also remember.  These are regular expressions.  So one could also do something like "Nov +4".



  • Thank you,  NOYB,

    I try it but not OK,
    1. for example: single digit day of month but not day.
    2. insert an additional space between the month and day of month is not ok
    3. So one could also do something like "Nov +4" is not OK (No logs to display.)

    Please help me!



  • What version pfSense?

    Do an unfiltered log, then test time filter with the month and day of one that exists.

    For example Nov +6

    You didn't include the quotes did you?

    What is the exact string you are entering into the filter time field?



  • Dear NOYB,

    The pfsese version is Latest Stable Version 2.3.2

    You didn't include the quotes did you? -> yes, i did. I didn't include the quotes.

    What is the exact string you are entering into the filter time field? Nov +7 (nowaday), but  is not OK,

    Tks



  • What is the line number of the first matching filter log record from this shell command?

    
    grep -iEn "Nov +7" /var/log/filter.log
    
    

    How many records (lines) are in the filter log?

    
    grep -iEc " " /var/log/filter.log
    
    


  • Thank you NOYB,

    grep -iEn "Nov +7" /var/log/filter.log -> OK
    grep -iEc " " /var/log/filter.log -> OK

    But i want to filter  in the GUI (Status -> System Logs -> Firewall -> Normal View)



  • Yes I know.  Those are trouble shooting steps.  Not asking for ok.  Asking for the results.



  • Thank NOYB,

    I want to filter  in the GUI (Status -> System Logs -> Firewall -> Normal View).

    please help me,



  • @trungnt:

    Thank NOYB,

    I want to filter  in the GUI (Status -> System Logs -> Firewall -> Normal View).

    please help me,

    I know that is what you want.  And I will try to help you with that if you provide information requested.



  • Thank NoYB

    grep -iEn "Nov +7" /var/log/filter.log

    For example:

    196998:Nov  7 13:38:48 fw_pfsense filterlog: 105,16777216,,1478051386,re2,match,pass,in,4,0x0,,127,4878,0,none,17,udp,63,192.168.1.100,10.0.0.11,57034,53,43
    196999:Nov  7 13:38:48 fw_pfsense filterlog: 64,16777216,,1000003715,re1,match,pass,out,4,0x0,,126,4878,0,none,17,udp,63,192.168.1.100,10.0.0.11,57034,53,43
    197000:Nov  7 13:38:48 fw_pfsense filterlog: 105,16777216,,1478051386,re2,match,pass,in,4,0x0,,127,4879,0,none,17,udp,63,192.168.1.100,10.0.0.11,54723,53,43
    197001:Nov  7 13:38:48 fw_pfsense filterlog: 64,16777216,,1000003715,re1,match,pass,out,4,0x0,,126,4879,0,none,17,udp,63,192.168.1.100,10.0.0.11,54723,53,43
    197002:Nov  7 13:38:48 fw_pfsense filterlog: 206,16777216,,1477384617,re1,match,pass,in,4,0x0,,128,11084,0,none,17,udp,74,10.0.0.11,8.8.8.8,60216,53,54
    197003:Nov  7 13:38:48 fw_pfsense filterlog: 64,16777216,,1000003715,re0,match,pass,out,4,0x0,,127,11084,0,none,17,udp,74,10.0.0.11,8.8.8.8,60216,53,54

    grep -iEc " " /var/log/filter.log
    2447645



  • Perfect.  That is what was needed.  Can now tell you exactly why it is not working.

    The Web GUI Advanced Filter is restricted to most recent 10,000 log records.  Those Nov 7 records are probably from a previous year and thus are not within the most recent 10,000 log records.

    I had recently proposed to remove the restriction.  But it was opted to just raise it from 5,000 to 10,000 instead.  10,000 is sufficient for most typical use.  But there are a few situations like this where it is not.

    Here is the bug report with links to forum thread:
    https://redmine.pfsense.org/issues/6652



  • Thank NOYB,

    so, do I have to update Version 2.3.2_1?  Is the problem resolving?



  • No.  _1 does not change this.

    You need you reduce the log file size.

    If more history is required an external log server is typically used.



  • If more history is required an external log server is typically used.

    -> The problem is not resovling, is it?

    Tks



  • There is currently no proposed code change for this.

    The solution is to reduce the log file size and use an external log server if longer term log history of more than 10,000 records is required.



  • Thank NOYB,

    The solution is to reduce the log file size and use an external log server if longer term log history of more than 10,000 records is required.

    Change the maximum log file size  to what You recommended? What is the maximum?

    Thank you so much!



  • I do not know your requirements and do not have a recommendation for you.
    I can only tell you what I use.  Whether or not it is appropriate for you is something you will have to decide.
    I use the default log file size.


Log in to reply