volume for /var/log full

linuxlover2

As you can see I have a full /var volume and plenty of space on the hdd.

[2.4.4-RELEASE][admin@pfsense]/home/admin: df -h
Filesystem                     Size    Used   Avail Capacity  Mounted on
/dev/ufsid/5c162167a0674520    7.2G    1.0G    5.6G    16%    /
devfs                          1.0K    1.0K      0B   100%    /dev
/dev/md0                        62M    592K     56M     1%    /tmp
/dev/md1                        96M     96M   -7.7M   109%    /var
devfs                          1.0K    1.0K      0B   100%    /var/dhcpd/dev

What is the best procedure to move /var/log over to the other device?

linuxlover2

Actually the SSD is 16GB, thus I should even have unassigned disk space to use for logging...

smartctl 6.6 2017-11-05 r4594 [FreeBSD 11.2-RELEASE-p10 amd64] (local build)
Copyright (C) 2002-17, Bruce Allen, Christian Franke, www.smartmontools.org

=== START OF INFORMATION SECTION ===
Device Model:     SanDisk SSD i110 16GB
Serial Number:    141000123960
LU WWN Device Id: 5 001b44 0dfd82238
Firmware Version: i221000
User Capacity:    16,013,942,784 bytes [16.0 GB]
Sector Size:      512 bytes logical/physical
Rotation Rate:    Solid State Device
Form Factor:      1.8 inches
Device is:        Not in smartctl database [for details use: -P showall]
ATA Version is:   ACS-2 T13/2015-D revision 3
SATA Version is:  SATA 3.0, 6.0 Gb/s (current: 6.0 Gb/s)
Local Time is:    Sat Feb 29 22:35:46 2020 EST
SMART support is: Available - device has SMART capability.
SMART support is: Enabled

jimp

You have enabled RAM disks for /var and /tmp (System > Advanced, Misc tab)

Either increase the amount of space allocated for /var there, or disable RAM disks so /var will be on the disk and not in RAM.

linuxlover2

@jimp Thanks very much.
I have amply room to increase the RAM disk, and am now back down to 11% usage.

FreeMindedCH

I had/have a similar problem with /var (on RAM disk) suddenly filling up. In my case it looks like Snort is the cause, even though it's configured to keep the logs at max. 100 MB. Re saved the Snort Config and the space got cleared. Let's see if it appears again.

Gertjan

@FreeMindedCH said in volume for /var/log full:

Let's see if it appears again.

Be carefull : from what I understood, a check is made every DAY. In one day snort can do much more as 100 Mbytes ....
( and if the checking code code doesn't work well, your disk/partition fills up, and take down your system )

Anyway : if you use snort, no choice, you have to check yourself far more as ones a day the snort logs - and while your at it, the logs total size, because why would you log that much if you don't check it yourself ??

FreeMindedCH

@Gertjan thanks for pointing that out. I had installed Snort approx. 2 years ago and never really started using it. It started becoming an issue only a few weeks ago. I have no idea what has changed.

stephenw10

Yes, be sure to set the total log size limit in Snort as well as the individual log limits to prevent duplicate files filling the drive.