pfBlocker genrates 12GBs of logs a day



  • I continue to struggle with the non-dev version pfBlocker, and it's not just pfBlocker's fault...

    pfBlocker is now generating over 12GBs of logs in the following file, per day:
    /var/log/pfblockerng/dnsbl_error.log

    This has filed up my /var 3 times already, which breaks unbound (see my previous posts).

    I get the lines below[1] in that log over and over and over again... and that log does not seem to get rotated, is not "circular", or not rotated in time enough to keep it from filling up my /var partition.

    Note I have not touched the generated /var/unbound/pfb_dnsbl_lighty.conf file, it is default.

    How can I stop this log from filling up my /var and stop this junk from writing to the log?

    Strangely enough, the dnsbl.log in the same dir, stays a constant size.

    If I go to Status -> System Logs -> Settings -> Reset Log files, this does not clear the above dnsbl_error.log.

    Now I do realize I have one (important) device on my home net that is generating 30(!) dns requests to api.amplitude.com per second! This is absolutely positively ridiculous, and while I have complained to the OEM, they' don't care, it's not going to get "fixed". This also drives up CPU use for lighttpd to 30% of my CPU on pfSense in spurts of 5 minutes at a time.

    I can live with the CPU spikes (that's what pfBlocker is for), but why is the log growing unbounded (no pun intended)?

    Bob

    [1] Ref:
    2020-04-18 10:56:50: (configfile-glue.c.581) === start of condition block ===
    2020-04-18 10:56:50: (configfile-glue.c.325) 3 global/HTTPhost=~.* not available yet
    2020-04-18 10:56:50: (configfile-glue.c.493) 1 (uncached) result: unset
    2020-04-18 10:56:50: (configfile-glue.c.581) === start of condition block ===
    2020-04-18 10:56:50: (configfile-glue.c.449) SERVER["socket"] ( 0.0.0.0:8443 ) compare to 0.0.0.0:8443
    2020-04-18 10:56:50: (configfile-glue.c.493) 2 (uncached) result: true
    2020-04-18 10:56:50: (configfile-glue.c.581) === start of condition block ===
    2020-04-18 10:56:50: (configfile-glue.c.282) go parent global/SERVERsocket==0.0.0.0:8443
    2020-04-18 10:56:50: (configfile-glue.c.500) 2 (cached) result: true
    2020-04-18 10:56:50: (configfile-glue.c.325) 3 global/SERVERsocket==0.0.0.0:8443/HTTPhost=~.* not available yet
    2020-04-18 10:56:50: (configfile-glue.c.493) 3 (uncached) result: unset
    2020-04-18 10:56:50: (configfile-glue.c.581) === start of condition block ===
    2020-04-18 10:56:50: (configfile-glue.c.449) HTTP["host"] ( api.amplitude.com ) compare to .*
    2020-04-18 10:56:50: (configfile-glue.c.493) 1 (uncached) result: true


  • Moderator

    @tazmo best to move to pfBlockerNG-devel FTW!



  • Alright... I'll give that a try next.

    Had to resort to a cron tab that did a:
    /bin/cat /dev/null > /var/log/pfblockerng/dnsbl_error.log

    every 15 minutes. That's a hack!

    Will try the dev version next...

    Thx,
    Bob


Log in to reply