Disable nginx access log (to remote syslog server)

arrmo · May 20, 2020, 11:29 PM

Hi,

I have pfSense set up to send syslog information to a remote syslog server - in general it's working fine, no issues. But ... nginx is sending a LOT of traffic across (e.g. ~ 2400 messages in 2 hours), and this is all just for accesses (i.e. access log). I'd like to disable this particular item, and I think the file I need to mess with is /var/etc/syslog.d/pfSense.conf ... but I admit, I'm not real familiar with the syntax of this file. Has anyone had any luck configuring this?

Thanks in advance for any pointers!

Gertjan · May 21, 2020, 8:36 AM

True, these "access logs" are not really needed and do pollute de remote log.

@arrmo said in Disable nginx access log (to remote syslog server):

/var/etc/syslog.d/pfSense.conf

Noop.
This is the one that controls syslogd : /etc/syslog.conf
It's build here 985 -> 1080 in /etc/inc/system.inc

I tried to rebuild somewhat the last statement :
Mine is :

*.* 								@192.168.1.4

so it excludes logs from 'nginx' as a program, or "Local5" as the facility, but no access.

It's also possible to inform nginx to shut up. See line 1447 :

	access_log      syslog:server=unix:/var/run/log,facility=local5 combined;

in the same system.inc file.

What somewhat seem to work without any pfSense file edits :

Another solution : On the remote site, filter out Local5.Info messages

arrmo · May 21, 2020, 10:54 PM

@Gertjan said in Disable nginx access log (to remote syslog server):

True, these "access logs" are not really needed and do pollute de remote log.

@arrmo said in Disable nginx access log (to remote syslog server):

/var/etc/syslog.d/pfSense.conf

Noop.
This is the one that controls syslogd : /etc/syslog.conf

Yes, agree with you! I was thinking filtering at syslog, but I like your idea better

It's build here 985 -> 1080 in /etc/inc/system.inc

I tried to rebuild somewhat the last statement :
Mine is :
*.* 								@192.168.1.4
so it excludes logs from 'nginx' as a program, or "Local5" as the facility, but no access.

OK, you lost me there, sorry. With *.* ... everything gets sent across, no? I may be missing your point.

It's also possible to inform nginx to shut up. See line 1447 :
	access_log      syslog:server=unix:/var/run/log,facility=local5 combined;
in the same system.inc file.

What somewhat seem to work without any pfSense file edits :

Yes, agreed! I like this approach. I changed that line to ,

access_log off;

And voila, after a webConfigurator restart (to regenerate the needed files) ... no "noise" from the access log. I think this is the best way to go, agreed?

Another solution : On the remote site, filter out Local5.Info messages

Right, but that still means all those messages going across => lots of bandwidth and horsepower chewed up (for no good reason ... agreed?)

Thanks for the thoughts and pointers - much appreciated!