Tons sshguard log entries and its not enabled

geovaneg · Jul 11, 2022, 1:28 PM

Hi @stephenw10

Let's try an ideal combination of the two.
But for today I'll just follow the behavior.

Thanks.

Geovane

geovaneg · Jul 11, 2022, 1:37 PM

Change of plans:

My quiet time dropped to less than 20 minutes in the last rotation, with the arrival of users on the wifi network.

I am changing the size of the log files to 100MB and the retention to 2 files.

geovaneg · Jul 13, 2022, 1:43 PM

Good morning gentlemen,

Thanks to you, we are evolving towards a satisfactory configuration.
I was looking for logs to disable and I noticed that the squid access logs are being written locally to the /var/log/nginx.log file and also to the /var/squid/logs/access.log folder.
Do you know if there's a way to solve this without affecting the sending to the remote server?
Note: I have the LightSquid package installed as well.

Thanks.

stephenw10 · Jul 13, 2022, 4:34 PM

Hmm, nothing I'm aware of but I've never tried to solve that before. You mean prevent Squid writing to the nginx log? You certainly need local logging for LightSquid to work.

geovaneg · Jul 14, 2022, 2:23 PM

@stephenw10

Good Morning,

Yes, LightSquid uses log files from the "/var/squid/logs" folder. I reduced the space used by changing the retention of logs in the squid from 30 to 3 files.
Regarding the same logs that go to "/var/log/nginx.log" it seems that they are sent remotely to syslog, so there's not much to do there.

geovaneg · Jul 14, 2022, 2:41 PM

Sirs,

Thanks again for the suggestions.
I believe that we have reached a suitable configuration for our case.

I'll report the actions in case anyone finds this useful in the future:

PfSense 2.6.0 - FW/GW/Proxy wifi network approx 1300 daily users.
Logs are sent remotely for auditing purposes. Lots of filter logs!

Our final configuration to avoid "sshguard" spam looked like this:

We increased log file size to 100MB;
To avoid excessive disk consumption, retention has been changed to only two files in "log settings";

-rw------- 1 root wheel 97239550 Jul 14 11:35 filter.log
-rw------- 1 root wheel 102682474 Jul 13 16:16 filter.log.0
-rw------- 1 root wheel 102697059 Jul 13 11:31 filter.log.1

To avoid the risk of unnecessary CPU consumption, log compression was disabled (UFS);
We disabled the log packets matched from the default block rules in the ruleset to reduce the amount of system logs;
We reviewed the other firewall rules and kept the logs strictly necessary;
Also to avoid space consumption, squid log retention has been reduced from 30 to 3 files.

Thanks,

Geovane

noplan · Jan 24, 2023, 9:23 AM

ok run into same thing ...
gonna have a look into this

2.6CE

brNP