3G tmpfs folder usage at 90% and increasing exponentially

gwaitsi

My 3G tmpfs folder is at 90%. I have already increased it twice.
I presume it must be logs of some sort.
how can i find what is causing the explosion in usage and limit it.

SteveITS

@gwaitsi Not sure what you mean by "3G"..." pfSense uses RAM disks for /tmp and /var, (only) if configured. You can run "du -h /var" or "du -h /tmp" to get a summary of directory sizes.

gwaitsi

@steveits yes, I originally had 2048 as the /var ram disk. have had to increase it to 3072. The suricata logs were taking up 2.5Gb despite having the total limit of 100Mb set. I deleted the logs, and raised the limit to 500Mb. But I don't think suricata is respecting it's config settings

SteveITS

@gwaitsi In Services/Suricata/Logs Management > Log Directory Size Limit? That's sort of a fallback setting in case the logs are growing too quickly.

gwaitsi

@steveits that's what i'm saying. mine was at the default setting, but it seems to have been completely ignored.

SteveITS

@gwaitsi Hmm, years ago there was a bug where log management had to be disabled and re-enabled (it showed as checked by default but wasn't enabled, IIRC). Haven't noticed any issues since then.

Perhaps @bmeeks will have some insight.

gwaitsi

@steveits so, i disabled it and re-enabled it. see if that makes any difference

gwaitsi

so, i am back with a disk usage problem after deleting the suricata logs the other day.

the main contenders are;

• /var/log/suricata - 224M

• /var/db/pfblockerng - 774M
  dnsblorig - 131M
  dnsbl - 244M
  dnsbalias - 244M
  ut1 - 126M

• /var/unbound - 673M
  pfb_py_zones 240M
  usr/local = 411M
  usr/local/lib = 356M

does this look normal? this i should probably increase the ram allocated again.
if not, what does not look right?

SteveITS

@gwaitsi Guessing you’re logging all that on purpose…hard to say what’s “normal”…

Suricata logs HTTP requests by default. We usually turn that off. Otherwise check the alerts tab and see what’s going on. Do you have it running on WAN? That will scan packets that will then immediately be dropped by the firewall because it runs outside the firewall.

How is log rotation of pfSense set? IIRC pfBlocker doesn’t do it’s own rotation but I didn’t check that.

gwaitsi

@steveits

• suricata is only logging on the 1 x LAN / 1 x LAGG interfaces and not blocking at the moment.
• suricata I set total log limit to 300Mg, up from default 96Mg and only keep 7 days everything
• pfblockerng i have reduced the log lines to 10000 now

pfblocker seems to use a lot, when you consider the unbound zones file plus the config.

SteveITS

@gwaitsi They can and it depends on need…we usually limit logging unless debugging something.