To begin accessing the system logs, first navigate to Status | System Logs. There are several tabs in this section. The default tab is System, but you will likely want to narrow your focus. Fortunately, different subcategories (for example,, Firewall and DHCP) have their own tabs where you can view only log entries related to such activity. This simultaneously makes it easier to find log activity for a specific subcategory while also reducing clutter on the System tab. The System tab is itself divided into several subcategories (currently, General, Gateways, Routing DNS Resolver, and Wireless).
The way pfSense logs are stored is designed to not overflow available disk space. As a result, the logs have a binary circular log file format. Log files are a fixed size and store a maximum of 50 entries. If this limit of 50 entries is reached, then older log entries will be overwritten by newer ones. If you want or need to save these logs, you can do so by copying them to another server with syslog.
The default log order is chronological; however, you can show log entries in reverse order by clicking on the Settings tab and checking the Forward/Reverse Display checkbox. There is an Advanced Log Filter section at the top of the page—this section can be expanded by clicking on the filter icon to the right of the section heading. Advanced Log Filter can save you considerable time, because it allows you to filter log entries by several criteria. These criteria include time, process, process ID (PID), the quantity of entries displayed, and the message contained in the log entry. Each of these fields with the exception of Quantity (which can only take an integer, for obvious reasons) can contain a regular expression. To filter these logs, simply click on the Apply Filter button in this section.
Many of the log settings can be controlled via the Settings tab. The GUI Log entries field is where you can enter the number of log entries that will be displayed in the GUI—but not the number of entries in the actual log files. To change the number of entries in the log files, we must use the next option, Log file size (Bytes). This field allows you to change the size of each log file. By default, each log file is about 500 KB; there are 20 log files, so the total disk space used by the log files is 10 MB. If you want to retain more than 50 entries per log file, you can increase this number, at the cost of disk space. If you do so, make sure that you have enough disk space available.
The next subsection is Log firewall default blocks. Enabling the Log packets matched from the default block rules in the ruleset option will cause pfSense to log packets that are blocked by the implicit default block rule. All internetwork traffic is blocked by the implicit block rule, but traffic blocked is not normally logged – but it will be logged if this option is set. If the log packets matched from the default pass rules put in the ruleset option is checked, then pfSense will log packets that are allowed by the implicit pass rule. The Log packets blocked by ‘Block Bogon Networks’ rules and Log packets blocked by ‘Block Private Networks’ rules options allow you to log packets blocked by those rules, which can be useful if you suspect your network is being attacked and the attacker is using some form of IP spoofing.
If the Web Server Log option is checked, then errors from the web server process for the pfSense GUI or the captive portal will appear in the main system log. The Raw Logs option, if enabled, will show the logs without them being interpreted by the log parser. Normally, we want the log files to be parsed, so they are easier to read; however, the raw log files, though difficult to read, can often be more helpful in troubleshooting—they provide detailed information that is often left out of the parsed log output. The IGMP Proxy option, if enabled, will allow for verbose logging.
The next option, the Where to show rule descriptions dropdown box, allows you to show a description of the rule being applied in the firewall log. You have these options:
- Don’t load descriptions: The default option
- Display as column: The description appears as an additional column
- Display as second row: The description will appear below the corresponding log entry
The Local Logging option, if enabled, will disable writing log files to the local disk. Clicking on the Reset Log Files button will clear all local log files and reinitialize them as empty logs. It will also restart the DHCP daemon. If you have made any changes to the settings on this page, you should click on the Save button to make sure that you don’t lose these changes before clicking on the Reset Log Files button to clear the logs.
The next section is the Remote Logging Options section, which is useful if you have a syslog server. Checking the Enable Remote Logging checkbox will allow you to send log messages to a remote syslog server, and if you enable this option, several other options will appear on the page. The Source Address drop-down box is where you choose to which IP address the syslog daemon will bind. The choices include each interface on your system, localhost, and the default, which is any interface. You can select the protocol to use in the Protocol drop-down box. The options are IPv4 and IPv6, but this option will only be used if a nondefault option is used for Source Address, and even then, it only expresses a preference. If pfSense cannot connect to the syslog server using the chosen IP protocol, it will try with the other.
The Remote log servers fields allow you to specify the IP addresses and ports of the syslog servers. You can specify up to three syslog servers here. The Remote Syslog Contents checkboxes are where you can choose which events are sent to the syslog server(s). If you choose to use a remote syslog server, remember to configure the syslog daemon on the remote end to accept syslog messages from pfSense. When you are finished making changes on this page, click on the Save button.