Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfsense disk usage %109 238gib -ufs

    Scheduled Pinned Locked Moved IDS/IPS
    11 Posts 3 Posters 4.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      torefloo
      last edited by

      hi masters ;
      I'm using pfsense 2.4.4, but my disk usage is up to 109% and many services don't work, so,
      When I check with shell command I see 238g usage in / dev / ufsid / 5c56aa7e7f88e22be folder, what is this folder and how can I clean it,
      This problem probably started to occur after I started using suricata disc did not notice the full.

      Please request your support.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by Derelict

        Probably snort or squid logs.

        If you enabled squid logs be sure you enabled rotation.

        Whatever it is should be in /var.

        This should make it obvious who the culprit is:

        du -skh /var/*

        Then see what it is and drill down from there if necessary, eg:

        du -skh /var/log/*

        The first thing I would do is take a config backup if it will let you. Or at least download one of the configs in the config history. With a full disk like that there is really no telling what didn't get written out properly. Probably not necessary but I would be tempted to reinstall with config recovery if I let a system go to zero-free like that.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        T 1 Reply Last reply Reply Quote 0
        • T
          torefloo @Derelict
          last edited by

          @Derelict yes find, 237g /var/log/suricata how can i delete it?

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Probably something like:

            Disabling suricata
            rm -rf /var/log/suricata
            Fixing the run-away logs
            Enabling suricata

            Not exactly sure I don't have a suricata install to look at at the moment. Moved to the IDS/IPS forum to get the right eyes on it.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • T
              torefloo
              last edited by

              hi originated from suricata log files , also check the logs mgmt Log Directory Size Limit Log Limit Size selected in MB 3782mb default this choose and LAN interface delete ,
              solved disk usage %1 ,

              for suricata, just activate wan interface?

              thanks.

              bmeeksB 1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks @torefloo
                last edited by

                @torefloo said in pfsense disk usage %109 238gib -ufs:

                hi originated from suricata log files , also check the logs mgmt Log Directory Size Limit Log Limit Size selected in MB 3782mb default this choose and LAN interface delete ,
                solved disk usage %1 ,

                for suricata, just activate wan interface?

                thanks.

                It is a little hard for me to follow this response. Are you saying you resolved your issue by enabling Log Management and the Log Directory Size Limit, or do you still have a problem?

                You don't state what version of Suricata you are running, but make sure you are on the most recent version. A few versions back there was a bug that caused some log files to grow unabated.

                T 1 Reply Last reply Reply Quote 0
                • T
                  torefloo @bmeeks
                  last edited by

                  @bmeeks yes enabling Log Management and the Log Directory Size Limit resolved. ,

                  pfsense version 2.4.4-RELEASE-p2 this version problem suricata? and

                  suricata basic configuration what do you recommend and which interface WAN , LAN both.

                  thanks.

                  T 1 Reply Last reply Reply Quote 0
                  • T
                    torefloo @torefloo
                    last edited by

                    @torefloo sorry suricata version 4.1.4_2 .

                    1 Reply Last reply Reply Quote 0
                    • bmeeksB
                      bmeeks
                      last edited by bmeeks

                      The most recent version of the Suricata package is 4.1.4_3 (just posted about an hour ago). Your pfSense version is one patch level behind. Current is 2.4.4_p3.

                      I usually recommend that users put Suricata (or Snort) on their LAN, especially for home networks. Doing so lets you see the addresses in alerts without NAT interfering. When you run it on the WAN, all of your local hosts in alerts will show up with the WAN's public IP address because Suricata sees traffic before NAT rules are applied.

                      The only time I would put Suricata on the WAN is if you have several public facing hosts such as web servers or mail servers that you want to protect.

                      T 1 Reply Last reply Reply Quote 0
                      • T
                        torefloo @bmeeks
                        last edited by

                        @bmeeks thanks, pfsense update Is there anything you need to pay attention to in order to update, system information available packet can i install directly on top.

                        1 Reply Last reply Reply Quote 0
                        • bmeeksB
                          bmeeks
                          last edited by

                          I usually suggest deleting the package and re-installing it, especially for major updates. This update is minor and changes only one PHP file, so you can just do a re-install on the PACKAGE MANAGER tab. If a delete and then install is recommended, I will always put a warning in the package release notes.

                          Suricata will retain your settings even when you delete package unless you specifically uncheck the Save Settings on De-Install checkbox on the GLOBAL SETTINGS tab. That setting is enabled by default, so you don't lose any settings when you remove the package.

                          So for this update, go to the PACKAGE MANAGER tab and click the re-install icon.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.