GUI is only showing last 2000 log entries. Where can I see the rest?

nfern

Hi,
I'm using netgatge xg7100 appliance with version 2.4.5
I am trying to search logs, but i can oly see 2000 log entries on the system log page of the gui. where can i view the previous logs from the last couple of days?
Thanks
NF

johnpoz

On your syslog server :) you were sending them there right..

Before 2.5 logs were circular.. So they are gone unless you were sending them elsewhere.

with 2.4.5 you can use clog to look at the file directly to see if older stuff is in there.. But again they are circular and old stuff will get overwritten..

https://docs.netgate.com/pfsense/en/latest/releases/2-5-0.html#logging

Gertjan

Or go to to /var/log

The most important logs are compacted to 'bz2' (log rotated) so weeks of info is still available.

johnpoz

@gertjan said in GUI is only showing last 2000 log entries. Where can I see the rest?:

'bz2' (log rotated) so weeks of info is still available.

In 2.4.5?

That is true on 2.5

Gertjan

Hummm.
Now I understand why you were talking about 2.4.5 ....
And I remember why I installed many years ago a local syslog server ;)

(edit : I zapped to read the actual question .... )

NZ

FYI if you're searching Firewall logs.

There is also a hard limit on the filter log parser to only 10K latest entries.
So don't expect to see days of log data if your logs fill up quickly.
https://redmine.pfsense.org/issues/11666

If you want to see more data within the GUI.
First set the Log Compression to "none"
Set Log Retention Count to a high number (eg 99) (make sure you have a few GBs of HD for logging).

Then you can view the rotation files directly in the Diagnostic\Edit File section.
Just browse to "/var/log"

bingo600

I would love for an extra logging option.
Right now we have logging on/off.

I would love to have
Gui logging on/off
Syslog logging on/off

I find that i sometimes do a "No logging rule" in order not to get the Gui logging totally cluttered by a crazy client.
But then i also loose the entry in the syslog , where i would like to have it.

Maybe i just have "sore eyes" , but it would be a neat feature.

/Bigo

johnpoz

If you don't want to see entry that are flooding your gui log, you can filter it. The ! can be used in filter to exclude something from the listing.

bingo600

@johnpoz

Thanx JP , will try that

But the feature would still be neat

I do understand that they somehow might have to add a "Gui show/noshow" field in the logline , and that automation guyzz would hate me for that ... But .... Neat

/Bingo

johnpoz

While a more robust filtering system could be a nice addition.. Say for example an easy way to maintain a filter with multiple entries be it show only or exclude this list, etc. Or have sets of filters, that you can load or unload..

Toggling such action on the rules themselves - hmm.. I would think that would overly complicate the whole logging aspect.

But a filter you could load or unload to display specifics that are in the log shouldn't be all that hard to do.. Keep in mind that is coming from someone that doesn't actually code.. So I could be over looking something that makes that actually very difficult to accomplish ;)

Prob best option is just just send logs to your syslog - and use that to parse the data how you want.. And use that system to look at the logs vs the gui interface in pfsense. You can get pretty granular with such systems on what is shown or not shown, etc.

But if its just some temp over zealous bot hitting your wan and spamming your logs during a time frame your looking for something else in the logs - the ! filter of excluding something from the gui can help..

Gertjan

@johnpoz said in GUI is only showing last 2000 log entries. Where can I see the rest?:

The ! can be used

Cooool !

A simple

!::

works for me : now I see only portal traffic