Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How do you expand /var

    Scheduled Pinned Locked Moved General pfSense Questions
    16 Posts 7 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      Vlee
      last edited by

      Hello,

      We are running pfsense "2.6.0-RELEASE" and have noticed our /var is out of space. How can I expand /var or make more space in /var?

      acec4e2b-e0b2-48a7-9cde-be52c1db5c01-image.png

      Thank you for your help!

      D 1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        You don't, you find out what's using all the space and delete it. Nothing should use anything approaching that much drive space in pfSense. You have something that is incorrectly using it. Probably logs that are not rotating as expected and that's usually Snort or Suricata.

        Steve

        johnpozJ 1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator @stephenw10
          last edited by johnpoz

          @stephenw10 I was going to say - wow, my var isn't using anything close to that ;)

          var.jpg

          on a side note I take it you did an upgrade to 2.6 vs clean - didn't zfs become the new default file system? Notice your still using ufs

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            An unlimited packet capture is my next most likely suspect but that would be in / not /var.

            1 Reply Last reply Reply Quote 0
            • V
              Vlee
              last edited by

              Thanks for all the help! We found out it was suricata creating the logs. We were able to uninstall it and remove the logs in the process.

              S 1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                Ah, nice!

                If you're running Suricata make sire it has log rotation enabled and then there is a total log size limit set.

                Steve

                R 1 Reply Last reply Reply Quote 0
                • S
                  Stewart @Vlee
                  last edited by

                  @vlee There was a version of Suricata that didn't pay attention to limits and rotation. If you've been upgrading it could have been related to that depending on how long they've been sitting there and how old your versions have been. Upgrading will fix it though, and it seems like you've done that. Just make sure you have your limits and rotation on and you should be all set.

                  1 Reply Last reply Reply Quote 0
                  • D
                    Darkk @Vlee
                    last edited by

                    @vlee I've had the exact same problem with the /var folder. Although I am using tmpfs in RAM to reduce the number of writes to my SSD. Turns out it was Suricata was not pruning the logs like it should. The thing is before upgrading to 22.05 (pfSense Plus) Suricata was working fine and pruning the logs as usual. After the upgrade it wasn't clearing out the logs.

                    So I uninstalled Suricata which removed the logs and re-installed it. I've enabled the hard limit of 2 gigs for logs so hopefully it'll fix it. If it doesn't then will have to report it as a bug for Suricata.

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S
                      stephenw10 Netgate Administrator
                      last edited by

                      Yes, if you're running RAM disks you have to be very careful with Snort/Suricata. Really neither package is intended to be run with RAM disks.

                      Steve

                      D 1 Reply Last reply Reply Quote 0
                      • D
                        Darkk @stephenw10
                        last edited by

                        @stephenw10 I've personally never had an issue with it. It got a 6 gig for /var in RAM.

                        1 Reply Last reply Reply Quote 0
                        • bmeeksB
                          bmeeks
                          last edited by

                          Yes, @stephenw10 is 100% correct. I am the maintainer/developer for both of the IDS/IPS packages, and use of RAM disks is not recommended for either of them. They can log a lot of information very rapidly on a busy network with lots of active rules. That can overwhelm most typical RAM disk setups.

                          The IDS/IPS packages really do best with spinning hard disks.

                          D 1 Reply Last reply Reply Quote 1
                          • stephenw10S
                            stephenw10 Netgate Administrator
                            last edited by

                            I will say that a 6GB RAM disk is not typical. ๐Ÿ˜‰

                            bmeeksB 1 Reply Last reply Reply Quote 0
                            • D
                              Darkk @bmeeks
                              last edited by

                              @bmeeks Good point. It's got a 500 gig nvme as the boot / os drive. I could throw in an old Samsung 500 gig EVO just for logging. Will take a look at it at the next re-install.

                              bmeeksB 1 Reply Last reply Reply Quote 0
                              • bmeeksB
                                bmeeks @stephenw10
                                last edited by

                                @stephenw10 said in How do you expand /var:

                                I will say that a 6GB RAM disk is not typical. ๐Ÿ˜‰

                                Yeah, agree that 6GB is certainly not a "typical" RAM disk. But still, some of the Suricata EVE JSON logs can get quite large due to the sheer amount of text info that gets logged there. It does depend, though, on exactly what options the admin has enabled for EVE logging.

                                1 Reply Last reply Reply Quote 0
                                • bmeeksB
                                  bmeeks @Darkk
                                  last edited by bmeeks

                                  @darkk said in How do you expand /var:

                                  @bmeeks Good point. It's got a 500 gig nvme as the boot / os drive. I could throw in an old Samsung 500 gig EVO just for logging. Will take a look at it at the next re-install.

                                  One issue you may encounter is that the IDS/IPS packages do not offer a customizable log path option as of now. They default to /var/log. You can remap that at the OS level, of course. But it's not something you can currently do within the package itself. It is an item on my "wish list" TODO.

                                  1 Reply Last reply Reply Quote 2
                                  • R
                                    rcoleman-netgate Netgate @stephenw10
                                    last edited by

                                    Here's the command we use in TAC to determine the largest folders in /var:

                                    Go to Diagnostics->Command Prompt and copy/pasta the following command:

                                    du -a /var | sort -n -r | head -n 10
                                    

                                    Ryan
                                    Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
                                    Requesting firmware for your Netgate device? https://go.netgate.com
                                    Switching: Mikrotik, Netgear, Extreme
                                    Wireless: Aruba, Ubiquiti

                                    1 Reply Last reply Reply Quote 2
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.