Maximum Log Size
-
Hey all,
So I recently had a spurious mac address show up on my network recently, and I am in the process of trying to figure out what it is.
As part of that process, I have enabled logging on the "default pass" LAN firewall rule. This produces A LOT of log entries, so I needed to increase the size of the log file from it's default 499.5KB.
Since I have pfSense running on a 60GB SSD, I have just under 40GB free on the disk. Just to be sure I would be able to capture all the data I needed, I decided to set the log file to 32GB in size. That didn't work at all. When trying to save setting I got an error that the log file was too large. I tried 16GB. Also too large. 8GB. Also too large. 4GB. Also too large. 2GB. Also too large. 1GB is the largest size which would save.
This should get me a few days of log entries, but it isn't nearly enough to capture a month+ of data if I need it.
So my question is, what determines max log file size? Is it hard coded to 1GB? Or is it dependent on available disk space? Is there any way to get a larger log?
Much obliged,
Matt -
pfSense currently uses a special logging utility called
clogfor its system logging. This utility produces a binary circular log file that is first-in first-out. It is not like a normal syslog file on say Linux. Circular logging was implemented when pfSense was first created because many of the installs were on small memory footprint systems with flash memory (remember NanoBSD).The size limit you are hitting is imposed, I believe, by the
clogutility. Most folks who want to maintain tons of log data use the syslog export feature to send the logs to an external syslog or rsyslog host. -
@bmeeks said in Maximum Log Size:
pfSense currently uses a special logging utility called
clogfor its system logging. This utility produces a binary circular log file that is first-in first-out. It is not like a normal syslog file on say Linux. Circular logging was implemented when pfSense was first created because many of the installs were on small memory footprint systems with flash memory (remember NanoBSD).The size limit you are hitting is imposed, I believe, by the
clogutility. Most folks who want to maintain tons of log data use the syslog export feature to send the logs to an external syslog or rsyslog host.Thank you for that.
I will google to see if I can find any guides regarding syslog export.
-
@mattlach said in Maximum Log Size:
@bmeeks said in Maximum Log Size:
pfSense currently uses a special logging utility called
clogfor its system logging. This utility produces a binary circular log file that is first-in first-out. It is not like a normal syslog file on say Linux. Circular logging was implemented when pfSense was first created because many of the installs were on small memory footprint systems with flash memory (remember NanoBSD).The size limit you are hitting is imposed, I believe, by the
clogutility. Most folks who want to maintain tons of log data use the syslog export feature to send the logs to an external syslog or rsyslog host.Thank you for that.
I will google to see if I can find any guides regarding syslog export.
There are some configuration parameters on the Settings tab of the SYSTEM LOG screen for setting up log export to a remote syslog host. You will find it easiest to create a Linux machine (a VM is perfect on a hypervisor) to be the syslog receiver. There are also packages such as ELK that a lot of folks use. Google the term "ELK" for more info. It is an acronymn for Elastisearch Logstash Kibana if I am remembering correctly. This is a suite of software tools you install on a Linux host.
-
@bmeeks said in Maximum Log Size:
@mattlach said in Maximum Log Size:
@bmeeks said in Maximum Log Size:
pfSense currently uses a special logging utility called
clogfor its system logging. This utility produces a binary circular log file that is first-in first-out. It is not like a normal syslog file on say Linux. Circular logging was implemented when pfSense was first created because many of the installs were on small memory footprint systems with flash memory (remember NanoBSD).The size limit you are hitting is imposed, I believe, by the
clogutility. Most folks who want to maintain tons of log data use the syslog export feature to send the logs to an external syslog or rsyslog host.Thank you for that.
I will google to see if I can find any guides regarding syslog export.
There are some configuration parameters on the Settings tab of the SYSTEM LOG screen for setting up log export to a remote syslog host. You will find it easiest to create a Linux machine (a VM is perfect on a hypervisor) to be the syslog receiver. There are also packages such as ELK that a lot of folks use. Google the term "ELK" for more info. It is an acronymn for Elastisearch Logstash Kibana if I am remembering correctly. This is a suite of software tools you install on a Linux host.
Thanks again.
I just created an Ubuntu server 18.04 container on my mmain server, and configured rsyslog per this guide.
Next I went into the GUI configuration on pfSense and enabled remote logging and added in the IP of the ubuntu machine, as described here. It doesn't appear to have received any logs yet.
Maybe it needs UDP? I only enabled TCP.
Or maybe I have a permissions problem on the folder I asked it to store the logs in.
I'm troubleshooting.
netstat shows no connections on port 514 though, so the issue seems to not be permissions, but rather be that the connection isn't established.
Do I need to do anything to pfsense to make it start sending logs, or is checking the box, configuring and hitting apply enough?
-
@mattlach said in Maximum Log Size:
@bmeeks said in Maximum Log Size:
@mattlach said in Maximum Log Size:
@bmeeks said in Maximum Log Size:
pfSense currently uses a special logging utility called
clogfor its system logging. This utility produces a binary circular log file that is first-in first-out. It is not like a normal syslog file on say Linux. Circular logging was implemented when pfSense was first created because many of the installs were on small memory footprint systems with flash memory (remember NanoBSD).The size limit you are hitting is imposed, I believe, by the
clogutility. Most folks who want to maintain tons of log data use the syslog export feature to send the logs to an external syslog or rsyslog host.Thank you for that.
I will google to see if I can find any guides regarding syslog export.
There are some configuration parameters on the Settings tab of the SYSTEM LOG screen for setting up log export to a remote syslog host. You will find it easiest to create a Linux machine (a VM is perfect on a hypervisor) to be the syslog receiver. There are also packages such as ELK that a lot of folks use. Google the term "ELK" for more info. It is an acronymn for Elastisearch Logstash Kibana if I am remembering correctly. This is a suite of software tools you install on a Linux host.
Thanks again.
I just created an Ubuntu server 18.04 container on my mmain server, and configured rsyslog per this guide.
Next I went into the GUI configuration on pfSense and enabled remote logging and added in the IP of the ubuntu machine, as described here. It doesn't appear to have received any logs yet.
Maybe it needs UDP? I only enabled TCP.
Or maybe I have a permissions problem on the folder I asked it to store the logs in.
I'm troubleshooting.
netstat shows no connections on port 514 though, so the issue seems to not be permissions, but rather be that the connection isn't established.
Do I need to do anything to pfsense to make it start sending logs, or is checking the box, configuring and hitting apply enough?
Turns out it was indeed a filesystem permissions error. I had pointed the logs in a nonstandard location (/mnt/rsyslogd, a mounted drive)
Once I changed the owners to the same as in /var/log (root:syslog for the folder, and syslog:adm for the log files) and then matched the read and write permissions to /var/log as well, things seemed to work as expected.
Thanks for all the help!
--Matt
