pfSense

Sorry. Filling up with nginx messages. Here's a link to the forum thread:

https://forum.netgate.com/topic/170081/gui-services-in-the-system-log-are-filled-with-nginx-messages

Currently, pfSense syslog uses the "-c -c" option to disable the compression of repeated instances of the same line into a single line of the form "last message repeated N times".

https://github.com/pfsense/pfsense/blob/master/src/etc/inc/syslog.inc#L473:

$retval = mwexec_bg("/usr/sbin/syslogd {$syslogd_format} -s -c -c {$syslogd_sockets} -P {$g['varrun_path']}/syslog.pid {$syslogd_extra}");

We can disable this option, but this may affect third party log analysis software,
or allow to enable/disable this option on the status_logs_settings.php page

we can also use the nginx log filtering feature:

map $request_uri $loggable {
    default                                             1;
    ~(ifstats.php|getstats.php|getqueuestats.php)$ 0;
}

access_log /var/log/nginx.log if=$loggable;

OK. I'm certainly not an expert and it doesn't seem to be causing problems. But, from my point of view, I guess I'd want to see just exceptional things in the log. Seeing every POST and GET just seems a bit excessive. For instance, yesterday, my GUI Service log turned over 10 times.

That is a raw web server log, it's not meant to only show notable events, but every access of the web server. That's why it's off on its own tab.

Jim Pingle wrote in #note-6:

That is a raw web server log, it's not meant to only show notable events, but every access of the web server. That's why it's off on its own tab.

In my case, I have increased the log size from the default to 2000 entries. If I recall correctly, the default is 500 entries.

Here are the log files:

8 drwxr-xr-x  2 root  wheel     512 Jun 15  2019 nginx
 192 rw------  1 root  wheel   96066 Aug 17 13:18 nginx.log
  24 rw------  1 root  wheel    9972 Aug 17 11:33 nginx.log.0.bz2
  24 rw------  1 root  wheel   10340 Aug 17 00:40 nginx.log.1.bz2
  16 rw------  1 root  wheel    8027 Aug 16 20:12 nginx.log.2.bz2
  24 rw------  1 root  wheel    8218 Aug 16 19:43 nginx.log.3.bz2
  24 rw------  1 root  wheel    8393 Aug 16 19:14 nginx.log.4.bz2
  24 rw------  1 root  wheel    9997 Aug 16 18:45 nginx.log.5.bz2
  24 rw------  1 root  wheel   10174 Aug 16 15:05 nginx.log.6.bz2

I'm not clear how the rollover mechanism works, but if the system holds a maximum of 2000 messages, then that appears to be two days of messages for my small system. If I wanted to know if there was a noteworthy message in the log, I would have to scroll through the log every day or other day. With all due respect, this is not a feature. There should be a mechanism to turn off routine messages if they not of interest. I would prefer to only see notable messages (i.e., errors), rather than every access of the web server.

I'm getting hit fairly hard with this right now, as I have a busy 24.11 firewall in Azure that's shipping syslog to my Graylog server. It's filling up with

[10/May/2025:13:59:04 -0400] "GET /status_logs.php HTTP/2.0" 200 22533 "https://xxx.cloudapp.azure.com" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36" 

related: https://forum.netgate.com/topic/101816/webgui-populates-syslog-when-dashboard-running/

The "Web Server" checkbox in log settings only disables error logging

 error_log /dev/null;

vs

 error_log  syslog:server=unix:/var/run/log,facility=local5;

The access log happens either way at the moment, though that will, more likely than not, change in the future. Not on this closed issue, but as a part of other logging work.

Not logging the GUI web server access is a large security hole so the default will not change, but there may be an option to disable that logging in some way. People who don't like that can either drop it at the syslog server or edit the source to disable the logging (e.g. in the code that generates the nginx config). Or change their workflow so they don't hit the GUI process for things that could be accomplished other ways (e.g. via SSH).

Jim Pingle wrote in #note-10:

The "Web Server" checkbox in log settings only disables error logging

[...]

vs

[...]

The access log happens either way at the moment, though that will, more likely than not, change in the future. Not on this closed issue, but as a part of other logging work.

Not logging the GUI web server access is a large security hole so the default will not change, but there may be an option to disable that logging in some way. People who don't like that can either drop it at the syslog server or edit the source to disable the logging (e.g. in the code that generates the nginx config). Or change their workflow so they don't hit the GUI process for things that could be accomplished other ways (e.g. via SSH).

I won't argue that for some environments logging GUI web server access is necessary. However, it would still be beneficial for environments where it is not necessary for there to be a setting to disable logging of access and only log errors. Perhaps logging access would not be such a big deal if it didn't cause other issues, such as hourly sshguard log messages. Also, if GUI access and errors are going to the same log, access will swamp errors, resulting in them not being seen, which is also undesirable.