Problems with SSD filling up
I am fairly new to PFSense. I am running PFSense on a core duo with 4GB of ram. OS is on SSD with I believe 15GB.
It is basic install except for I have PFblockerNG installed and running. Was running snort prior but after I had same problem, and reinstalled PFsense, did not put it back on.
Issue I have is that the SSD fills up slowly. It is at 90% now. Is there any reason why it is filling up? I though of logs, and looked at them, but did not find anything weird (as far as I can tell). I did not turn on any additional logging or other.
Just guessing here...try maybe using the RAM drive and automatic log managment for your logging stuff.
With automatic log management enabled you shouldn't have the issue of filling up your drive.
I have never had the issue of logs filling up my SSD drive on current PFSense computer. I am using a 32 Gb SSD drive here.
Looking at the Dashboard here see: 5% of 27GiB - ufs used for PFSense.
There is a "bug" in Suricata where the logs are not set to rotate by default, even though it looks like they are in the GUI. But you're saying you aren't using that. Unless some sort of log is not rotating or similar increasing disk usage, disk usage should not really vary much.
Can you connect via SSH/shell and run something like:
find / -type f -size +50M
That should list all files over 50 MB.
Thank you teamits.
Helping peer new2fire I found the large files to be either snort or squid related a few months ago. I manually deleted the logs and a week or so later they were there.
Over time the user rebuilt box from scratch and it happened again.
Also getting following error:
PHP ERROR: Type: 1, File: /usr/local/pkg/pfblockerng/pfblockerng.inc, Line: 2496, Message: Allowed memory size of 536870912 bytes exhausted (tried to allocate 8192 bytes) @ 2018-06-20 15:48:17
@teamits I did the
find / -type f -size +50M
and got the following:
/root/ntopng.core 125595648 is the size of that file
The PHP error is the PHP process going over 512 MB RAM. That's pretty big for a PHP process. Do you have a lot of pfBlockerNG aliases or something? Check Firewall/pfBlockerNG/Logs? It should be only a relatively few lines per day. (50?)
The .core file is going to be a core dump for a crashed process and delete-able. Even if it's huge, and taking up lots of space by itself, that wouldn't explain "slowly filling up."
Under "StatusSystem/Logs/Firewall/Normal View"
there are a lot. the 50 that fill up the page occur within 6 min.
Under "Firewall/pfBlockerNG/Logs" What am I looking for? Nothing shows up in 'log'. There are several drop downs, but not sure what to select.
We have our pfB,lockerNG updating once a day. What is the CRON Settings schedule set to on Firewall/pfBlockerNG/General?
it is set to every hour. The default setting.
So, Under: Firewall/pfBlockerNG/General
I changed the "Log File Size" from default 20,000 to 10,000. It immediately dropped my disk usage to 10%. That must have been it. The default PFSense setting must assume most users will have larger drive. Thank you both and I will keep monitoring and provide update.
I also changed the Cron setting to once a day. But I don't think that this was the issue.
Good news new2fire!!
So, I have been watching my disk space again and it is creeping up again. It is up to 45% since I posted that I had gotten it down to 10%, 25 days ago. I have not made any changes.