Text only | Text with Images

OPNsense Forum

Archive => 23.1 Legacy Series => Topic started by: mircsicz on April 08, 2023, 02:44:58 PM

Title: filter.log filling up my SSD, but can't find rules with enabled logging
Post by: mircsicz on April 08, 2023, 02:44:58 PM
Hi all,

this morning I got an Email from my WiFi-WAN Provider, asking to restore power to the AP on my roof. As I'm currently not in the EU and couldn't reach my Dad who is housesitting I started to dig into the issue:

Found this in the Unbound log:
Code Select

2023-04-08T14:10:57 Critical unbound [31257:0] fatal error: could not complete write: /root.key: No space left on device
2023-04-08T14:10:56 Error unbound [31257:0] error: could not fflush(/root.key): No space left on device
2023-04-08T14:10:51 Warning unbound PTR record already exists for unifi.mydom.de(10.yy.xxx.14)


So I checked the FS via SSH:
Code Select

mircsicz@router:~ $ uptime
2:12PM  up  4:06, 1 user, load averages: 0.42, 0.35, 0.28
mircsicz@router:~ $ df -h
Filesystem                  Size    Used   Avail Capacity  Mounted on
/dev/gpt/rootfs              14G     13G   -153M   101%    /


Damn it so my APU's 16GB SSD is full! And here's the offender:
Code Select

mircsicz@router:~ $ sudo du -h /var/log
88K    /var/log/lighttpd
4.0K    /var/log/suricata
4.0K    /var/log/ntp
5.1M    /var/log/audit
8.7G    /var/log/filter


So I rm'd some of those:
Code Select

mirco@router:~ $ sudo ls -lh /var/log/filter
total 18213184
-rw-------  1 root  wheel   143M Mar 10 00:00 filter_20230309.log
-rw-------  1 root  wheel   154M Mar 11 00:00 filter_20230310.log
-rw-------  1 root  wheel   127M Mar 12 00:00 filter_20230311.log
-rw-------  1 root  wheel   153M Mar 13 00:00 filter_20230312.log
-rw-------  1 root  wheel   132M Mar 14 00:00 filter_20230313.log
-rw-------  1 root  wheel   130M Mar 15 00:00 filter_20230314.log
-rw-------  1 root  wheel   140M Mar 15 23:59 filter_20230315.log
-rw-------  1 root  wheel   130M Mar 17 00:00 filter_20230316.log
-rw-------  1 root  wheel   145M Mar 18 00:00 filter_20230317.log
-rw-------  1 root  wheel   126M Mar 19 00:00 filter_20230318.log
-rw-------  1 root  wheel   125M Mar 20 00:00 filter_20230319.log
-rw-------  1 root  wheel   144M Mar 21 00:00 filter_20230320.log
-rw-------  1 root  wheel   131M Mar 22 00:00 filter_20230321.log
-rw-------  1 root  wheel   117M Mar 23 00:00 filter_20230322.log
-rw-------  1 root  wheel   150M Mar 24 00:00 filter_20230323.log
-rw-------  1 root  wheel   295M Mar 25 00:00 filter_20230324.log
-rw-------  1 root  wheel   502M Mar 25 23:59 filter_20230325.log
-rw-------  1 root  wheel   462M Mar 27 00:00 filter_20230326.log
-rw-------  1 root  wheel   502M Mar 28 00:00 filter_20230327.log
-rw-------  1 root  wheel   515M Mar 29 00:00 filter_20230328.log
-rw-------  1 root  wheel   517M Mar 30 00:00 filter_20230329.log
-rw-------  1 root  wheel   344M Mar 31 00:00 filter_20230330.log
-rw-------  1 root  wheel   320M Apr  1 00:00 filter_20230331.log
-rw-------  1 root  wheel   419M Apr  2 00:00 filter_20230401.log
-rw-------  1 root  wheel   352M Apr  3 00:00 filter_20230402.log
-rw-------  1 root  wheel   505M Apr  4 00:00 filter_20230403.log
-rw-------  1 root  wheel   528M Apr  5 00:00 filter_20230404.log
-rw-------  1 root  wheel   540M Apr  6 00:00 filter_20230405.log
-rw-------  1 root  wheel   507M Apr  7 00:00 filter_20230406.log
-rw-------  1 root  wheel   332M Apr  8 00:00 filter_20230407.log
-rw-------  1 root  wheel   204M Apr  8 14:18 filter_20230408.log
lrwxr-x---  1 root  wheel    35B Apr  8 14:01 latest.log -> /var/log/filter/filter_20230408.log

root@router:/var/log/filter # rm filter_202303*
root@router:/var/log/filter # ls -lh
total 6938944
-rw-------  1 root  wheel   419M Apr  2 00:00 filter_20230401.log
-rw-------  1 root  wheel   352M Apr  3 00:00 filter_20230402.log
-rw-------  1 root  wheel   505M Apr  4 00:00 filter_20230403.log
-rw-------  1 root  wheel   528M Apr  5 00:00 filter_20230404.log
-rw-------  1 root  wheel   540M Apr  6 00:00 filter_20230405.log
-rw-------  1 root  wheel   507M Apr  7 00:00 filter_20230406.log
-rw-------  1 root  wheel   332M Apr  8 00:00 filter_20230407.log
-rw-------  1 root  wheel   204M Apr  8 14:19 filter_20230408.log
lrwxr-x---  1 root  wheel    35B Apr  8 14:01 latest.log -> /var/log/filter/filter_20230408.log


Then I checked through my Filter rules but all of them are like that (https://snipboard.io/I6wtX4.jpg).

So long story short question: Is there a way to check for Filter rules that have logging enabled in the config?
Title: Re: filter.log filling up my SSD, but can't find rules with enabled logging
Post by: Fright on April 09, 2023, 10:00:31 AM
System: Settings: Logging -> "Log packets matched from the default * rules.."?
Title: Re: filter.log filling up my SSD, but can't find rules with enabled logging
Post by: mircsicz on April 09, 2023, 03:24:54 PM
THX a ton
Title: Re: filter.log filling up my SSD, but can't find rules with enabled logging
Post by: zibloon on July 27, 2023, 01:04:08 PM
Quote from: Fright on April 09, 2023, 10:00:31 AM
System: Settings: Logging -> "Log packets matched from the default * rules.."?

Hello and thanks for this answer which is a good suggestion. But in my case I would prefer to limit the size of
the /var/log/filter/ directory.
Is it possible?
Title: Re: filter.log filling up my SSD, but can't find rules with enabled logging
Post by: Maurice on July 27, 2023, 01:47:39 PM
You can reduce the number of days after which logs get automatically deleted. The setting is on the same page.

Cheers
Maurice
Text only | Text with Images