Important

Netgate is offering COVID-19 aid for pfSense software users, learn more.

Log Settings

Log settings on pfSense® software may be adjusted in two different ways:

  • Globally at Status > System Logs on the Settings tab

  • On each log tab where settings can override the global defaults

    To change these settings click fa-wrench in the breadcrumb bar while viewing a log.

Each of these methods will be explained in detail in this section.

The global options area contains more options than the per-log settings. Only differences will be covered in detail for the per-log settings.

Global Log Settings

The global log options under Status > System Logs on the Settings tab include:

In the GUI, the Settings tab under Status > System Logs controls how the logging system behaves.

Log Message Format

The format of messages logged by the system log daemon (syslogd) for local and remote logs. Both formats are handled the same way locally, but remote syslog servers may prefer one format or the other. Check the documentation of the syslog server for details.

BSD (RFC 3164, default)

The default log format used by previous versions of pfSense software and natively used by FreeBSD.

syslog (RFC 5424, with RFC 3339 microsecond-precision timestamps

A modern syslog message format with more precise timestamps. Also includes the hostname.

Forward/Reverse Display

By default the logs are displayed in their natural order with the oldest entries at the top and the newest entries at the bottom. Some administrators prefer to see the newest entries at the top, which can be accomplished by checking this box to flip the order.

GUI Log Entries

The number of log entries to display in the log tabs of the GUI by default. This does not limit the number of entries in the file, only what is shown on the page at the time. The default value is 50. The actual log files may contain much more than the number of lines to display, depending on the Log File Size.

Log File Size (Bytes)

(<= 2.4.x) The size of the circular log file. The size of the file directly controls how many entries it can contain. The default log size is approximately 500,000 bytes (500KB).

There are roughly 20 log files, so any increase in file size will result in 20 times larger total disk utilization from logs. The current total log size and remaining disk space are displayed for reference. At the default size, the logs will hold about 2500 entries on average but it may be significantly more or less depending on the size of individual log entries.

Warning

The new log size will not take effect until a log is cleared or reinitialized. This may be done individually from each log tab or it can be done for all logs using the fa-trash Reset Log Files button on this page. See Adjusting the Size of Log Files for more.

Log Packets from Default Block Rules

Checked by default. When enabled, the default deny rule, which blocks traffic not matched by other rules, will log entries to the firewall log. Typically these log entries are beneficial, but in certain rare use cases they may produce undesirable log entries that are made redundant by custom block rules with logging enabled.

Log Packets from Default Pass Rules

Unchecked by default. When set, logging will occur for packets matching the default pass out rules on interfaces. Setting this option will generate a large amount of log data for connections outbound from the firewall. The best practice is to only enable this for brief periods of time while performing troubleshooting or diagnostics.

Log Packets from Block Bogon Networks Rules

Checked by default. When checked, if an interface has Block Bogon Networks active, packets matching that rule will be logged. Uncheck to disable the logging.

Log Packets from Block Private Networks Rules

Checked by default. When checked, if an interface has Block Private Networks active, packets matching that rule will be logged. Uncheck to disable the logging.

Web Server Log

When checked, log messages from the Web GUI process, nginx, will be placed in the main system log. On occasion, especially with Captive Portal active, these messages can be frequent but irrelevant and clutter the log contents.

Raw Logs

When checked, this setting disables log parsing, displaying the raw contents of the logs instead. The raw logs contain more detail, but they are much more difficult to read. For many logs it also stops the GUI from showing separate columns for the process and PID, leaving all of that information contained in the Message column.

Show Rule Descriptions

Controls if, and where, the firewall log display will show descriptions for the rules that triggered entries. Displaying the rule descriptions causes extra processing overhead that can slow down the log display, especially in cases where the view is set to show a large number of entries.

Don’t load descriptions

When selected this choice will not display any rule descriptions. The description may still be viewed by clicking the action column icon in the firewall log view (e.g. fa-times or fa-play).

Display as column

The default for new installations. Adds the rule description in a separate column. This works best if the descriptions are short, or the display is wide.

Display as second row

Adds a second row to each firewall log entry containing the rule description. This choice is better for long rule descriptions or narrow displays.

Tip

If the firewall logs display slowly with rule descriptions enabled, select Don’t load descriptions for faster performance.

Local Logging

When checked, local logs are not retained. They are not written to disk nor are they kept in memory. While this saves on disk writes, it necessitates the use of remote logging so that information is not lost. This is not a best practice, as having local logs is vital for the vast majority of use cases.

Reset Log Files

This button clears the data from all log files and reinitialize them as new, empty logs. This must be done after changing the log file sizes (2.4.x), and can also be used to clear out irrelevant/old information from logs if necessary.

Warning

Resetting the log files will not save the other options on the page. If options on this page have been changed, click Save before attempting to reset the log files.

Click Save to store the new settings. The remaining options on this screen are discussed in Remote Logging with Syslog.

Log Rotation Settings

Starting with pfSense software version 2.5.0, the system logs are kept in a plain text format and periodically rotated. The options in this section control how the system handles log rotation.

Note

The options in this section of the page are global only, and cannot be changed for individual logs.

Log Rotation Size (Bytes)

This field controls the size at which the system will rotate logs. The default size is 500 KiB per log file. There are nearly 20 log files, so plan space accordingly.

This does also does not account for space used by rotated log files.

Note

Increasing this value allows every log file to grow to the specified size, so disk usage may increase significantly. Log file sizes are checked once per minute to determine if rotation is necessary, so a very rapidly growing log file may exceed this value.

Log Compression

The type of compression to use when the system rotates log files. Compressing rotated log files saves disk space, and the compressed logs remain available for display and searching in the GUI. Though processing large compressed files can be time consuming, most use cases will not notice significant slowness.

The types of compression available are bzip2 (default), gzip, xz, zstd, and none (disables compression). All of the options which use compression are reasonably fast and offer good compression rates. Some may compress better than others, others are slightly faster, but ultimately the decision is up to the environment and the administrators.

Warning

The type of compression used by all log files must be identical. When changing this value, the system must remove all previously rotated compressed log files.

Log Retention Count

The number of rotated log files to keep before the oldest copy is removed. Keeping more log files will consume more disk space, but compressed logs files do not consume nearly as much space as decompressed logs.

Per-Log Settings

To change per-log settings, visit the log tab to change and then click fa-wrench in the breadcrumb bar to expand the settings panel.

On this panel, several options are displayed. Most of the options will show the global default value or have a General Logging Options Settings choice which will use the global value and not the per-log value.

The per-log settings panel for each tab only displays options relevant to that log. For example, the options to log default block or pass rules are displayed only when viewing the Firewall log tab.

Each per-log settings panel has at least the following options: Forward/Reverse Display, GUI Log Entries, Log File Size (Bytes) (2.4.x), and Formatted/Raw Display. For each of these, a value which will only apply to this log may be set. For more information on how these options work, see Global Log Settings above.

Click Save to store the new log settings.

Note

If the log file size was changed, after saving, open the settings panel again and click the fa-trash Clear Log button to reset the log using the new size.