Bug #12833
closedGUI Service Log Filling Up with Cruft
0%
Description
Starting with 2.6.0 (but I've updated to 22.1 and it's still happening), the GUI Service log at:
Status > System Logs > System > GUI Service
is filling up rapidly with log entries.
Files
Updated by David Lessnau over 3 years ago
Sorry. Filling up with nginx messages. Here's a link to the forum thread:
https://forum.netgate.com/topic/170081/gui-services-in-the-system-log-are-filled-with-nginx-messages
Updated by Viktor Gurov over 3 years ago
Currently, pfSense syslog uses the "-c -c" option to disable the compression of repeated instances of the same line into a single line of the form "last message repeated N times".
https://github.com/pfsense/pfsense/blob/master/src/etc/inc/syslog.inc#L473:
$retval = mwexec_bg("/usr/sbin/syslogd {$syslogd_format} -s -c -c {$syslogd_sockets} -P {$g['varrun_path']}/syslog.pid {$syslogd_extra}");
We can disable this option, but this may affect third party log analysis software,
or allow to enable/disable this option on the status_logs_settings.php page
Updated by Viktor Gurov over 3 years ago
we can also use the nginx log filtering feature:
map $request_uri $loggable { default 1; ~(ifstats.php|getstats.php|getqueuestats.php)$ 0; } access_log /var/log/nginx.log if=$loggable;
see https://docs.nginx.com/nginx/admin-guide/monitoring/logging#enabling-conditional-logging
Updated by Jim Pingle over 3 years ago
- Status changed from New to Not a Bug
It's doing exactly what it's should be doing and logging every request. It's a security concern. If you have no idea what is hitting your GUI making requests that end up in the log, you should be looking into why that is happening, not trying to suppress the logs.
Maybe we could add an option to disable that behavior but it should be enabled by default.
Updated by David Lessnau over 3 years ago
OK. I'm certainly not an expert and it doesn't seem to be causing problems. But, from my point of view, I guess I'd want to see just exceptional things in the log. Seeing every POST and GET just seems a bit excessive. For instance, yesterday, my GUI Service log turned over 10 times.
Updated by Jim Pingle over 3 years ago
That is a raw web server log, it's not meant to only show notable events, but every access of the web server. That's why it's off on its own tab.
Updated by Daryl Morse almost 2 years ago
Jim Pingle wrote in #note-6:
That is a raw web server log, it's not meant to only show notable events, but every access of the web server. That's why it's off on its own tab.
In my case, I have increased the log size from the default to 2000 entries. If I recall correctly, the default is 500 entries.
Here are the log files:
8 drwxr-xr-x 2 root wheel 512 Jun 15 2019 nginx
192 rw------ 1 root wheel 96066 Aug 17 13:18 nginx.log
24 rw------ 1 root wheel 9972 Aug 17 11:33 nginx.log.0.bz2
24 rw------ 1 root wheel 10340 Aug 17 00:40 nginx.log.1.bz2
16 rw------ 1 root wheel 8027 Aug 16 20:12 nginx.log.2.bz2
24 rw------ 1 root wheel 8218 Aug 16 19:43 nginx.log.3.bz2
24 rw------ 1 root wheel 8393 Aug 16 19:14 nginx.log.4.bz2
24 rw------ 1 root wheel 9997 Aug 16 18:45 nginx.log.5.bz2
24 rw------ 1 root wheel 10174 Aug 16 15:05 nginx.log.6.bz2
I'm not clear how the rollover mechanism works, but if the system holds a maximum of 2000 messages, then that appears to be two days of messages for my small system. If I wanted to know if there was a noteworthy message in the log, I would have to scroll through the log every day or other day. With all due respect, this is not a feature. There should be a mechanism to turn off routine messages if they not of interest. I would prefer to only see notable messages (i.e., errors), rather than every access of the web server.
Updated by Daryl Morse about 1 year ago
- File Capture 2.PNG Capture 2.PNG added
In Status / System Logs / Settings, there is the setting "Web Server Log".
I take this setting literally, that if it is checked, errors will be logged. If it's not checked, errors will not be logged. There is no setting for non-errors (e.g., usage) to be logged or not.
If there was a setting to enable or disable logging of non-errors, they could be disabled and it would prevent at least this one log from wrapping so often.
Updated by → luckman212 18 days ago
I'm getting hit fairly hard with this right now, as I have a busy 24.11 firewall in Azure that's shipping syslog to my Graylog server. It's filling up with
[10/May/2025:13:59:04 -0400] "GET /status_logs.php HTTP/2.0" 200 22533 "https://xxx.cloudapp.azure.com" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36"
related: https://forum.netgate.com/topic/101816/webgui-populates-syslog-when-dashboard-running/
Updated by Jim Pingle 16 days ago
The "Web Server" checkbox in log settings only disables error logging
error_log /dev/null;
vs
error_log syslog:server=unix:/var/run/log,facility=local5;
The access log happens either way at the moment, though that will, more likely than not, change in the future. Not on this closed issue, but as a part of other logging work.
Not logging the GUI web server access is a large security hole so the default will not change, but there may be an option to disable that logging in some way. People who don't like that can either drop it at the syslog server or edit the source to disable the logging (e.g. in the code that generates the nginx config). Or change their workflow so they don't hit the GUI process for things that could be accomplished other ways (e.g. via SSH).
Updated by Daryl Morse 6 days ago
Jim Pingle wrote in #note-10:
The "Web Server" checkbox in log settings only disables error logging
[...]
vs
[...]
The access log happens either way at the moment, though that will, more likely than not, change in the future. Not on this closed issue, but as a part of other logging work.
Not logging the GUI web server access is a large security hole so the default will not change, but there may be an option to disable that logging in some way. People who don't like that can either drop it at the syslog server or edit the source to disable the logging (e.g. in the code that generates the nginx config). Or change their workflow so they don't hit the GUI process for things that could be accomplished other ways (e.g. via SSH).
I won't argue that for some environments logging GUI web server access is necessary. However, it would still be beneficial for environments where it is not necessary for there to be a setting to disable logging of access and only log errors. Perhaps logging access would not be such a big deal if it didn't cause other issues, such as hourly sshguard log messages. Also, if GUI access and errors are going to the same log, access will swamp errors, resulting in them not being seen, which is also undesirable.