Firewall logs real short?



  • I have my logs set to 200max entries.

    The firewall logs in particular show a random number of log entries.  For example right now there are 9 entries.  Other times I may see 22, or 15, or 8.  But nowhere near the 200max.

    On this hardware I have:

    2.0.1-RELEASE (i386)
    built on Mon Dec 12 18:24:17 EST 2011
    FreeBSD 8.1-RELEASE-p6

    Installed.

    On another unit separate of this one, I have the same version of pfsense installed and it has firewall logs listing as they should.

    Thoughts?


  • Rebel Alliance Developer Netgate

    There could be many lines getting filtered out either as irrelevant or unparseable for some reason. Check the raw log (clog /var/log/filter.log) and see what shows up there and how it compares to the parsed version in the GUI



  • Hi Jimp.  You're right I think about "unparseable" logs.  For example, I had a lot of entries in /var/log/filter.log that were like this.

    Mar 15 09:38:55 wbpf pf: 00:00:04.639905 rule 1/0(match): block in on em1: (tos 0xc0, ttl 2, id 0, offset 0, flags [none], proto EIGRP (88), length 60)
    Mar 15 09:38:55 wbpf pf:     192.168.10.150 > 224.0.0.10:
    Mar 15 09:38:55 wbpf pf:        EIGRP v2, opcode: Hello (5), chksum: 0xee68, Flags: [none]
    Mar 15 09:38:55 wbpf pf:        seq: 0x00000000, ack: 0x00000000, AS: 100, length: 20
    Mar 15 09:38:55 wbpf pf:          General Parameters TLV (0x0001), length: 12
    Mar 15 09:38:55 wbpf pf:            holdtime: 15s, k1 1, k2 0, k3 1, k4 0, k5 0

    Then I would have a more simple entry like this that does actually show in the GUI firewall log:

    Mar 15 11:24:14 wbpf pf: 00:02:59.476224 rule 1/0(match): block in on em0: (tos 0x0, ttl 108, id 256, offset 0, flags [none], proto TCP (6), length 40)
    Mar 15 11:24:14 wbpf pf:     218.22.87.214.6000 > 172.16.10.10.3389: Flags , cksum 0x2403 (correct), seq 1059782656, win 16384, length 0

    Does the filter.log have a maximum size in bytes?  It looks like roughly 500K and it never seems to change.  It seems like a lot of the unparsables may be clearing the /var/log/filter.log and the GUI firewall log in a way, rolling over somehow?

    @jimp:

    There could be many lines getting filtered out either as irrelevant or unparseable for some reason. Check the raw log (clog /var/log/filter.log) and see what shows up there and how it compares to the parsed version in the GUI


  • Rebel Alliance Developer Netgate




Log in to reply