System Logs

pfSense logs a lot of data by default, but does so in a manner that will not overflow the storage on the firewall. The logs can be viewed in the GUI under Status > System Logs and under /var/log/ on the file system.

Some components such as DHCP and IPsec generate enough logs that they have their own logging tabs to reduce clutter in the main system log and to ease troubleshooting for these individual services. To view other logs, click the tab for the subsystem to view. Certain areas, such as System, and VPN, have sub-tabs with additional related options.

pfSense logs are contained in a binary circular log format called clog. These files are a fixed size and never grow. As a consequence of this, the log will only hold a certain amount of entries and the old entries are continually pushed out of the log as new entries are added. If log retention is an issue for an organization, the logs can be copied to another server with syslog where they may be permanently retained or rotated with less frequency. See Remote Logging with Syslog later in this chapter for information about syslog.

On normal full installations where logs are kept on disk, they are retained across reboots. For NanoBSD installations or when /var is in a RAM disk, the logs reset at boot time.

Viewing System Logs

The system logs can be found under Status > System Logs, on the System tab. This will include log entries generated by the host itself in addition to those created by services and packages which do not have their logs redirected to other tabs/log files.

As shown by the example entries in Figure Example System Log Entries, there are log entries from several different areas in the main system log. Many other subsystems will log here, but most will not overload the logs at any one time. Typically if a service has many log entries it will be moved to its own tab and log file.

../_images/monitoring-systemlogexample.png

Example System Log Entries

Filtering Log Entries

Every log can be searched and filtered to find entries matching a specified pattern. This is very useful for tracking down log messages from a specific service or log entries containing a specific username, IP address, and so on.

To search for log entries:

  • Navigate to Status > System Logs and then the tab for the log to search
  • Click fa-filter in the breadcrumb bar to open the Advanced Log Filter panel
  • Enter the search criteria, for example, place some text or a regular expression in the Message field
  • Click fa-filter Apply Filter

The filtering fields vary by log tab, but may include:

Message:The body of the log message itself. A word or phrase may be entered to match exactly, or use Regular Expressions to match complex patterns.
Time:The timestamp of the log message. Uses month names abbreviated to three letters.
Process:The name of the process or daemon generating the log messages, such as sshd or check_reload_status.
PID:The process ID number of a running command or daemon. In cases where there are multiple copies of a daemon running, such as openvpn, use this field to isolate messages from a single instance.
Quantity:The number of matches to return in filter results. Setting this value higher than the number of log entries in the log file will have no effect, but setting it higher than the current display value will temporarily show more log messages.

The Firewall log tab has a different set of filtering fields:

Source IP Address:
 The source IP address listed in the log entry.
Destination IP Address:
 The destination IP address listed in the log entry.
Pass:Check this option to only match log entries that passed traffic.
Block:Check this option to only match log entries that blocked traffic.
Interface:The friendly description name of the interface to match (e.g. WAN, LAN, OPT2, DMZ)
Source Port:The source port of the log entry to match, if the protocol uses ports.
Destination Port:
 The destination port of the log entry to match, if the protocol uses ports.
Protocol:The protocol to match, such as TCP, UDP, or ICMP.
Protocol Flags:For TCP, this field matches the TCP flags on the log entry, such as SA (SYN+ACK) or FA (FIN+ACK)

The filter pane is hidden by default but it can be included on the page at all times by checking Log Filter under System > General Setup.

Changing Log Settings

Log settings may be adjusted in two different ways. First, the options can be set globally at Status > System Logs on the Settings tab. Second, each log tab can have its own unique settings which override the global defaults. To change these settings click fa-wrench in the breadcrumb bar while viewing a log. Each of these methods will be explained in detail in this section.

The global options area contains more options than the per-log settings. Only differences will be covered in detail for the per-log settings.

Global Log Settings

The global log options under Status > System Logs on the Settings tab include:

Forward/Reverse Display:
 

By default the logs are displayed in their natural order with the oldest entries at the top and the newest entries at the bottom. Some administrators prefer to see the newest entries at the top, which can be accomplished by checking this box to flip the order.

GUI Log Entries:
 

The number of log entries to display in the log tabs of the GUI by default. This does not limit the number of entries in the file, only what is shown on the page at the time. The default value is 50. The actual log files may contain much more than the number of lines to display, depending on the Log File Size.

Log File Size (Bytes):
 

The size of the clog file. The size of the file directly controls how many entries it can contain. The default log size is approximately 500,000 bytes (500KB). There are roughly 20 log files, so any increase in file size will result in 20 times larger total disk utilization from logs. The current total log size and remaining disk space are displayed for reference. At the default size, the logs will hold about 2500 entries on average but it may be significantly more or less depending on the size of individual log entries.

Warning

The new log size will not take effect until a log is cleared or reinitialized. This may be done individually from each log tab or it can be done for all logs using the fa-trash Reset Log Files button on this page.

Log Packets from Default Block Rules:
 

Checked by default. When enabled, the default deny rule, which blocks traffic not matched by other rules, will log entries to the firewall log. Typically these log entries are beneficial, but in certain rare use cases they may produce undesirable log entries that are made redundant by custom block rules with logging enabled.

Log Packets from Default Pass Rules:
 

Unchecked by default. When set, logging will occur for packets matching the default pass out rules on interfaces in pfSense. Setting this option will generate a large amount of log data for connections outbound from the firewall. We only recommend enabling this for brief periods of time while performing troubleshooting or diagnostics.

Log Packets from Block Bogon Networks Rules:
 

Checked by default. When checked, if an interface has Block Bogon Networks active, packets matching that rule will be logged. Uncheck to disable the logging.

Log Packets from Block Private Networks Rules:
 

Checked by default. When checked, if an interface has Block Private Networks active, packets matching that rule will be logged. Uncheck to disable the logging.

Web Server Log:

When checked, log messages from the Web GUI process, nginx, will be placed in the main system log. On occasion, especially with Captive Portal active, these messages can be frequent but irrelevant and clutter the log contents.

Raw Logs:

When checked, this setting disables log parsing, displaying the raw contents of the logs instead. The raw logs contain more detail, but they are much more difficult to read. For many logs it also stops the GUI from showing separate columns for the process and PID, leaving all of that information contained in the Message column.

IGMP Proxy:

Toggles the verboseness of the IGMP proxy logs. By default, the logs do not contain much information. Enabling this option causes IGMP proxy to log more detail.

Show Rule Descriptions:
 

Controls if, and where, the firewall log display will show descriptions for the rules that triggered entries. Displaying the rule descriptions causes extra processing overhead that can slow down the log display, especially in cases where the view is set to show a large number of entries.

Don’t load descriptions:
 The current default. When selected this choice will not display any rule descriptions. The description may still be viewed by clicking the action column icon in the firewall log view.
Display as column:
 Adds the rule description in a separate column. This works best if the descriptions are short, or the display is wide.
Display as second row:
 Adds a second row to each firewall log entry containing the rule description. This choice is better for long rule descriptions or narrow displays.

Tip

If the firewall logs display slowly with rule descriptions enabled, select Don’t load descriptions for faster performance.

Local Logging:

When checked, local logs are not retained. They are not written to disk nor are they kept in memory. While this saves on disk writes, it necessitates the use of remote logging so that information is not lost. We do not recommend using this option as having local logs is vital for the vast majority of use cases.

Reset Log Files:
 

This button will clear the data from all log files and reinitialize them as new, empty logs. This must be done after changing the log file sizes, and can also be used to clear out irrelevant/old information from logs if necessary.

Warning

Resetting the log files will not save the other options on the page. If options on this page have been changed, click Save before attempting to reset the log files.

Click Save to store the new settings. The remaining options on this screen are discussed in Remote Logging with Syslog.

Per-Log Settings

To change per-log settings, visit the log tab to change and then click fa-wrench in the breadcrumb bar to expand the settings panel.

On this panel, several options are displayed. Most of the options will show the global default value or have a General Logging Options Settings choice which will use the global value and not the per-log value.

The per-log settings panel for each tab only displays options relevant to that log. For example, the options to log default block or pass rules are displayed only when viewing the Firewall log tab.

Each per-log settings panel has at least the following options: Forward/Reverse Display, GUI Log Entries, Log File Size (Bytes), and Formatted/Raw Display. For each of these, a value which will only apply to this log may be set. For more information on how these options work, see Global Log Settings above.

Click Save to store the new log settings.

Note

If the log file size was changed, after saving, open the settings panel again and click the fa-trash Clear Log button to reset the log using the new size.