System Logs¶

pfSense® software logs a lot of data by default, but does so in a manner that will not overflow the storage on the firewall. The logs can be viewed in the GUI under Status > System Logs and under /var/log/ on the file system.

Some components such as DHCP and IPsec generate enough logs that they have their own logging tabs to reduce clutter in the main system log and to ease troubleshooting for these individual services. To view other logs, click the tab for the subsystem to view. Certain areas, such as System, and VPN, have sub-tabs with additional related options.

pfSense logs are contained in a binary circular log format called clog. These files are a fixed size and never grow. As a consequence of this, the log will only hold a certain amount of entries and the old entries are continually pushed out of the log as new entries are added. If log retention is an issue for an organization, the logs can be copied to another server with syslog where they may be permanently retained or rotated with less frequency. See Remote Logging with Syslog later in this chapter for information about syslog.

On normal installations where logs are kept on disk, they are retained across reboots. When /var is in a RAM disk, the system attempts to backup the logs at shutdown and restore them when booting. If the system does not shut down cleanly, the logs will reset.

Viewing System Logs¶

The system logs can be found under Status > System Logs, on the System tab. This will include log entries generated by the host itself in addition to those created by services and packages which do not have their logs redirected to other tabs/log files.

As shown by the example entries in Figure Example System Log Entries, there are log entries from several different areas in the main system log. Many other subsystems will log here, but most will not overload the logs at any one time. Typically if a service has many log entries it will be moved to its own tab and log file.

../../_images/monitoring-systemlogexample.png

Example System Log Entries¶

Filtering Log Entries¶

Every log can be searched and filtered to find entries matching a specified pattern. This is very useful for tracking down log messages from a specific service or log entries containing a specific username, IP address, and so on.

To search for log entries:

Navigate to Status > System Logs and then the tab for the log to search
Click in the breadcrumb bar to open the Advanced Log Filter panel
Enter the search criteria, for example, place some text or a regular expression in the Message field
Click Apply Filter

The filtering fields vary by log tab, but may include:

Message: The body of the log message itself. A word or phrase may be entered to match exactly, or use Regular Expressions to match complex patterns.
Time: The timestamp of the log message. Uses month names abbreviated to three letters.
Process: The name of the process or daemon generating the log messages, such as sshd or check_reload_status.
PID: The process ID number of a running command or daemon. In cases where there are multiple copies of a daemon running, such as openvpn, use this field to isolate messages from a single instance.
Quantity: The number of matches to return in filter results. Setting this value higher than the number of log entries in the log file will have no effect, but setting it higher than the current display value will temporarily show more log messages.

The Firewall log tab has a different set of filtering fields:

Source IP Address: The source IP address listed in the log entry.
Destination IP Address: The destination IP address listed in the log entry.
Pass: Check this option to only match log entries that passed traffic.
Block: Check this option to only match log entries that blocked traffic.
Interface: The friendly description name of the interface to match (e.g. WAN, LAN, OPT2, DMZ)
Source Port: The source port of the log entry to match, if the protocol uses ports.
Destination Port: The destination port of the log entry to match, if the protocol uses ports.
Protocol: The protocol to match, such as TCP, UDP, or ICMP.
Protocol Flags: For TCP, this field matches the TCP flags on the log entry, such as SA (SYN+ACK) or FA (FIN+ACK)

The filter pane is hidden by default but it can be included on the page at all times by checking Log Filter under System > General Setup.