Hello,
My router disk is getting full. It is the /var/log/filter which is the culprit. I have looked at the Rules and none of them has 'Enable Logging' turned on. How do i identify what is writing and more important have these logs rotated often?
root@OPNsense:~ # df -h
Filesystem Size Used Avail Capacity Mounted on
zroot/ROOT/default 440G 3.1G 436G 1% /
devfs 1.0K 0B 1.0K 0% /dev
/dev/gpt/efiboot0 260M 1.3M 259M 1% /boot/efi
zroot/tmp 436G 5.1M 436G 0% /tmp
zroot/home 436G 384K 436G 0% /home
zroot/var/tmp 436G 688K 436G 0% /var/tmp
zroot 436G 384K 436G 0% /zroot
zroot/usr/src 436G 384K 436G 0% /usr/src
zroot/var/audit 436G 384K 436G 0% /var/audit
zroot/var/crash 436G 384K 436G 0% /var/crash
zroot/var/log 436G 1.9M 436G 0% /var/log
zroot/usr/ports 436G 384K 436G 0% /usr/ports
zroot/var/mail 436G 512K 436G 0% /var/mail
tmpfs 4.0G 4.0G 0B 100% /var/log
devfs 1.0K 0B 1.0K 0% /var/dhcpd/dev
devfs 1.0K 0B 1.0K 0% /var/unbound/dev
/usr/local/lib/python3.11 440G 3.1G 436G 1% /var/unbound/usr/local/lib/python3.11
/lib 440G 3.1G 436G 1% /var/unbound/lib
root@OPNsense:/var/log/filter # ls -la
total 4007690
drwx------ 2 root wheel 192 Oct 12 11:01 .
drwxr-xr-x 18 root wheel 2432 Oct 18 03:01 ..
-rw------- 1 root wheel 1649451749 Oct 11 00:00 filter_20251010.log
-rw------- 1 root wheel 1866379578 Oct 12 00:00 filter_20251011.log
-rw------- 1 root wheel 588033927 Oct 18 04:56 filter_20251012.log
That's pretty busy. I have all logging enabled on a network with some publicly accessible (but relatively unpopular) servers, and I run from around half to around that size. I have 200 files (set under "System: Settings: Logging"), and space utilization is... 2.7GB, or a bit more than yours. The difference seems to be tmpfs - do you need that? ("System: Settings: Miscellaneous" -> "Disk / Memory Settings (reboot to apply changes)".)