Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    3G tmpfs folder usage at 90% and increasing exponentially

    General pfSense Questions
    2
    11
    866
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • 4
      4o4rh
      last edited by

      My 3G tmpfs folder is at 90%. I have already increased it twice.
      I presume it must be logs of some sort.
      how can i find what is causing the explosion in usage and limit it.

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire @4o4rh
        last edited by

        @gwaitsi Not sure what you mean by "3G"..." pfSense uses RAM disks for /tmp and /var, (only) if configured. You can run "du -h /var" or "du -h /tmp" to get a summary of directory sizes.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        4 1 Reply Last reply Reply Quote 0
        • 4
          4o4rh @SteveITS
          last edited by

          @steveits yes, I originally had 2048 as the /var ram disk. have had to increase it to 3072. The suricata logs were taking up 2.5Gb despite having the total limit of 100Mb set. I deleted the logs, and raised the limit to 500Mb. But I don't think suricata is respecting it's config settings

          S 1 Reply Last reply Reply Quote 0
          • S
            SteveITS Galactic Empire @4o4rh
            last edited by

            @gwaitsi In Services/Suricata/Logs Management > Log Directory Size Limit? That's sort of a fallback setting in case the logs are growing too quickly.

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote 👍 helpful posts!

            4 1 Reply Last reply Reply Quote 0
            • 4
              4o4rh @SteveITS
              last edited by

              @steveits that's what i'm saying. mine was at the default setting, but it seems to have been completely ignored.

              S 1 Reply Last reply Reply Quote 0
              • S
                SteveITS Galactic Empire @4o4rh
                last edited by

                @gwaitsi Hmm, years ago there was a bug where log management had to be disabled and re-enabled (it showed as checked by default but wasn't enabled, IIRC). Haven't noticed any issues since then.

                Perhaps @bmeeks will have some insight.

                Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                Upvote 👍 helpful posts!

                4 1 Reply Last reply Reply Quote 0
                • 4
                  4o4rh @SteveITS
                  last edited by

                  @steveits so, i disabled it and re-enabled it. see if that makes any difference

                  1 Reply Last reply Reply Quote 0
                  • 4
                    4o4rh
                    last edited by

                    so, i am back with a disk usage problem after deleting the suricata logs the other day.

                    the main contenders are;

                    • /var/log/suricata - 224M

                    • /var/db/pfblockerng - 774M
                      dnsblorig - 131M
                      dnsbl - 244M
                      dnsbalias - 244M
                      ut1 - 126M

                    • /var/unbound - 673M
                      pfb_py_zones 240M
                      usr/local = 411M
                      usr/local/lib = 356M

                    does this look normal? this i should probably increase the ram allocated again.
                    if not, what does not look right?

                    S 1 Reply Last reply Reply Quote 0
                    • S
                      SteveITS Galactic Empire @4o4rh
                      last edited by

                      @gwaitsi Guessing you’re logging all that on purpose…hard to say what’s “normal”…

                      Suricata logs HTTP requests by default. We usually turn that off. Otherwise check the alerts tab and see what’s going on. Do you have it running on WAN? That will scan packets that will then immediately be dropped by the firewall because it runs outside the firewall.

                      How is log rotation of pfSense set? IIRC pfBlocker doesn’t do it’s own rotation but I didn’t check that.

                      Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                      When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                      Upvote 👍 helpful posts!

                      4 1 Reply Last reply Reply Quote 0
                      • 4
                        4o4rh @SteveITS
                        last edited by 4o4rh

                        @steveits

                        • suricata is only logging on the 1 x LAN / 1 x LAGG interfaces and not blocking at the moment.
                        • suricata I set total log limit to 300Mg, up from default 96Mg and only keep 7 days everything
                        • pfblockerng i have reduced the log lines to 10000 now

                        pfblocker seems to use a lot, when you consider the unbound zones file plus the config.

                        S 1 Reply Last reply Reply Quote 0
                        • S
                          SteveITS Galactic Empire @4o4rh
                          last edited by

                          @gwaitsi They can and it depends on need…we usually limit logging unless debugging something.

                          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                          Upvote 👍 helpful posts!

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.