Log rotation size setting not being applied

e-1-1

System: 2.6.0-RELEASE
System logs -> Firewall page takes about 7 seconds to load, with 150 maximum log entries set.
Filtering for logs from a specific interface takes about the same 7 seconds since hitting Apply until page is reloaded with the results.

Checking the box with htop, only

/usr/bin/tail -r -n 10000

and

sh -c /bin/cat '/var/log/filter.log.6' '/var/log/filter.log.5' '/var/log/filter.log.4' '/var/log/filter.log.3'...

stand out during these 7 seconds.

File system is ZFS and no log compression.

Log rotation is not set, therefore I'd expect it to be the default 512KB.

But log file sizes show a different picture:

/var/log: ls -alh filter*
-rw-------  1 root  wheel   2.8M Mar 12 19:07 filter.log
-rw-------  1 root  wheel   143M Mar 12 17:42 filter.log.0
-rw-------  1 root  wheel   144M Mar 10 02:46 filter.log.1
-rw-------  1 root  wheel   143M Mar  7 11:56 filter.log.2
-rw-------  1 root  wheel   143M Mar  5 12:06 filter.log.3
-rw-------  1 root  wheel   143M Mar  2 20:40 filter.log.4
-rw-------  1 root  wheel   143M Feb 28 14:32 filter.log.5
-rw-------  1 root  wheel   143M Feb 26 11:59 filter.log.6

Any ideas how to force the logging subsystem to respect the default file size?

jimp

The "150 maximum log entries" bit only affects what is shown in the GUI, not what gets processed or rotated.

If the log files are that big you must have rotation set large somewhere, those are quite huge. It could be set in the Settings tab under system logs or there are per-log rotation options as well.

What is in /var/etc/newsyslog.conf.d/pfSense.conf?

e-1-1

@jimp it's a non-standard looking value, all the others are at "500":

/root: cat /var/etc/newsyslog.conf.d/pfSense.conf | egrep filter
/var/log/filter.log             root:wheel      600     7       146484.375      *       C

I remember having set in the past the log rotation size to a large value, maybe even that that amounts to ~146MB, but then (sometime before upgrading to 2.5 series, so one-two years ago) deleted the setting in order for it to be set to default. Haven't checked then if the logs have expected size after setting changed, only now, when there's a noticeable delay in the UI when browsing and filtering the pf logs.

e-1-1

@jimp some extra info - after changing "Log Rotation Size (Bytes)" to 512000, there's no change seen in /var/etc/newsyslog.conf.d/pfSense.conf

After switching to empty field in "Log Rotation Size (Bytes)" (and pressing Save, of course) there's no change again in that conf file.

stephenw10

You can set the log sizes for each log individually by hitting the gear wheel icon on the firewall log page. That's probably where it's set.
If it is change it there and reset the filter logs.

Steve

e-1-1

@stephenw10 Great tip, thanks!! It was set there to 150000000. Deleted, saved, now got the expected 500 in pfSense.conf.

cat /var/etc/newsyslog.conf.d/pfSense.conf | egrep filter
/var/log/filter.log             root:wheel      600     7       500     *       C