Log Settings

Log settings on pfSense® software may be adjusted in two different ways:

  • Globally at Status > System Logs on the Settings tab

  • On each log tab where settings can override the global defaults

    To change these settings click fa-wrench in the breadcrumb bar while viewing a log.

Each of these methods will be explained in detail in this section.

The global options area contains more options than the per-log settings. Only differences will be covered in detail for the per-log settings.

Global Log Settings

The global log options under Status > System Logs on the Settings tab include:

In the GUI, the Settings tab under Status > System Logs controls how the logging system behaves.

Log Message Format:

The format of messages logged by the system log daemon (syslogd) for local and remote logs. Both formats are handled the same way locally, but remote syslog servers may prefer one format or the other. Check the documentation of the syslog server for details.

BSD (RFC 3164, default)

The default log format used by previous versions of pfSense software and natively used by FreeBSD.

syslog (RFC 5424, with RFC 3339 microsecond-precision timestamps

A modern syslog message format with more precise timestamps. Also includes the hostname.

Forward/Reverse Display:

By default the logs are displayed in their natural order with the oldest entries at the top and the newest entries at the bottom. Some administrators prefer to see the newest entries at the top, which can be accomplished by checking this box to flip the order.

GUI Log Entries:

The number of log entries to display in the log tabs of the GUI by default. This does not limit the number of entries in the file, only what is shown on the page at the time. The default value is 50. The actual log files may contain much more than the number of lines to display, depending on the Log File Size.

Log Packets from Default Block Rules:

Checked by default. When enabled, the default deny rule, which blocks traffic not matched by other rules, will log entries to the firewall log. Typically these log entries are beneficial, but in certain rare use cases they may produce undesirable log entries that are made redundant by custom block rules with logging enabled.

Log Packets from Default Pass Rules:

Unchecked by default. When set, logging will occur for packets matching the default pass out rules on interfaces. Setting this option will generate a large amount of log data for connections outbound from the firewall. The best practice is to only enable this for brief periods of time while performing troubleshooting or diagnostics.

Log Packets from Block Bogon Networks Rules:

Checked by default. When checked, if an interface has Block Bogon Networks active, packets matching that rule will be logged. Uncheck to disable the logging.

Log Packets from Block Private Networks Rules:

Checked by default. When checked, if an interface has Block Private Networks active, packets matching that rule will be logged. Uncheck to disable the logging.

Web Server Log:

When checked, log messages from the Web GUI process, nginx, will be placed in the main system log. On occasion, especially with Captive Portal active, these messages can be frequent but irrelevant and clutter the log contents.

Raw Logs:

When checked, this setting disables log parsing, displaying the raw contents of the logs instead. The raw logs contain more detail, but they are much more difficult to read. For many logs it also stops the GUI from showing separate columns for the process and PID, leaving all of that information contained in the Message column.

Show Rule Descriptions:

Controls if, and where, the firewall log display will show descriptions for the rules that triggered entries. Displaying the rule descriptions causes extra processing overhead that can slow down the log display, especially in cases where the view is set to show a large number of entries.

Don’t load descriptions:

When selected this choice will not display any rule descriptions. The description may still be viewed by clicking the action column icon in the firewall log view (e.g. fa-times or fa-play).

Display as column:

The default for new installations. Adds the rule description in a separate column. This works best if the descriptions are short, or the display is wide.

Display as second row:

Adds a second row to each firewall log entry containing the rule description. This choice is better for long rule descriptions or narrow displays.

Tip

If the firewall logs display slowly with rule descriptions enabled, select Don’t load descriptions for faster performance.

Local Logging:

When checked, local logs are not retained. They are not written to disk nor are they kept in memory. While this saves on disk writes, it necessitates the use of remote logging so that information is not lost. This is not a best practice, as having local logs is vital for the vast majority of use cases.

Log Configuration Changes:

When set, the firewall creates a log entry when the configuration is changed. The log message includes the description of the configuration change when possible.

Reset Log Files:

This button clears the data from all log files and reinitialize them as new, empty logs. This can be used to clear out irrelevant/old information from logs if necessary.

Warning

Resetting the log files will not save the other options on the page. If options on this page have been changed, click Save before attempting to reset the log files.

Click Save to store the new settings. The remaining options on this screen are discussed in Remote Logging with Syslog.

Log Rotation Settings

Starting with pfSense Plus software version 21.02 and pfSense CE software version 2.5.0, the system logs are kept in a plain text format and periodically rotated. The options in this section control how the firewall handles log rotation.

Note

The options in this section of the page are global only, and cannot be changed for individual logs.

Log Rotation Size (Bytes):

This field controls the size at which the firewall rotates logs. The default size is 500 KiB per log file. There are nearly 20 log files, so plan space accordingly.

This does not account for space used by rotated log files.

Note

Increasing this value allows every log file to grow to the specified size, so disk usage can increase significantly. The firewall checks log file sizes once per minute to determine if rotation is necessary, so a rapidly growing log file may exceed this value.

Log Compression:

The type of compression the firewall uses when rotating log files. Compressing rotated log files saves disk space, and the compressed logs remain available for display and searching in the GUI. Though processing large compressed files can be time consuming, most use cases will not notice significant slowness.

The types of compression available are bzip2 (default), gzip, xz, zstd, and none (disables compression). All of the options which use compression are reasonably fast and offer good compression rates. Some may compress better than others, others are slightly faster, but ultimately the decision is up to the environment and the administrators.

Warning

The type of compression used by all log files must be identical. When changing this value, the firewall must remove all previously rotated compressed log files.

On certain systems, disabling compression (set to none) is the best course of action. Examples include:

  • Firewalls using large log file sizes, which may take too long to compress

  • Slower firewalls which may take too long to compress or search the log files even at default sizes

  • Firewalls using ZFS which by default will already compress disk contents

Log Retention Count:

The number of rotated log files to keep before the oldest copy is removed. Keeping more log files will consume more disk space, but compressed logs files do not consume nearly as much space as decompressed logs.

Per-Log Settings

To change per-log settings, visit the log tab to change and then click fa-wrench in the breadcrumb bar to expand the settings panel.

On this panel, several options are displayed. Most of the options will show the global default value or have a General Logging Options Settings choice which will use the global value and not the per-log value.

The per-log settings panel for each tab only displays options relevant to that log. For example, the options to log default block or pass rules are displayed only when viewing the Firewall log tab.

Each per-log settings panel has at least the following options: Forward/Reverse Display, GUI Log Entries, and Formatted/Raw Display. For each of these, a value which will only apply to this log may be set.

See also

For more information on how these options work, see Global Log Settings above.

Click Save to store the new log settings.