Disk space Filling up



  • Hi,

    I am very new to pfsense and have a VK-T40E.  I am now running release version 2.2.2 and just after the upgrade i noticed that something is logging somewhere and my 30 Gig SSD storage was filling up.  It is currently at 51% utilised.

    I have the following packages installed.

    File Manager
    Open VPN
    Suricata

    The growing utilisation of the SSD storage appears to have halted somewhat at 51% after I re-installed the Suricata package:

    While trying to figure out what was eating the space I tried to view the Suricata.log files for the WAN interface in the GUI / Browser (Interface is PPPoE).  For some reason the download/display of the logs fails every time and gives an error as follows:

    Crash report begins.  Anonymous machine information:

    amd64
    10.1-RELEASE-p9
    FreeBSD 10.1-RELEASE-p9 #0 57b23e7(releng/10.1)-dirty: Tue Apr 14 12:48:16 CDT 2015    root@-amd64-builder.pfmechanics.com:/usr/obj.amd64/usr/pfSensesrc/src/sys/pfSense_SMP.10

    Crash report details:

    PHP Errors:
    [11-May-2015 22:43:59 ] PHP Fatal error:  Allowed memory size of 268435456 bytes exhausted (tried to allocate 165918789 bytes) in /usr/local/www/suricata/suricata_logs_browser.php on line 72
    [11-May-2015 22:46:06] PHP Fatal error:  Allowed memory size of 268435456 bytes exhausted (tried to allocate 166112901 bytes) in /usr/local/www/suricata/suricata_logs_browser.php on line 72

    **************  Is it safe to modify the allowed memory size ? **********

    I can't seem to find anywhere that the 10 Gig or so of space is being consumed.  Im guessing it was Suricata logs but don't know enough to be certain.  At one point the % of disk usage was increasing about 4% per day.

    I did have Squid installed at one point just to see how it worked and I found the following 5gig file

    /var/squid/cache/swap.state

    Questions:

    • Can I safely delete the entire Squid directory if im not using squid?
    • Is there an easier way to find large files ?  Im still a novice at the CLI so mainly use the File Manager GUI
    • Anyone experienced Suricata chewing large amounts of space even after enabling the auto log rotation settings?  I did see one post here possibly related to the log rotation not working correctly in some versions?

    At this stage i'd be happy to just find the files taking up the space - at least then I can start investigating further.

    Thanks in advance.



  • Can I safely delete the entire Squid directory if im not using squid?

    If you aren't using squid then you should remove the package and delete any leftover files/folders.

    Is there an easier way to find large files ?  Im still a novice at the CLI so mainly use the File Manager GUI

    The standard du command.

    I don't use Suricata.



  • Your Suricata log files have grown too large.  Do you have automatic log management enabled.  You can enable it on the LOG MGMT tab in Suricata.

    You need to clean out your log files.  Try enabling the automatic log management.  The default settings will launch a cron task every 5 minutes that will clean out old files.

    Bill



  • Many thanks for the responses, this has helped me a lot.

    The Squid files - mainly the cache state was the primary issue.  These remained post uninstall of the package.  I think there might have been uninstall options to keep the cache etc ?

    I checked the Suricate logs and I think that at some point, the log trimming was not working correctly - even though theoretically the GUI showed trimming enabled. 
    I re-applied the settings and the logs for Suricate appear to be trimming properly now.

    Really appreciate the great help of forum members.