The log partition is running low on space. What are the options for reducing logging and/or troubleshooting why logging has increased?
The amount of space needed to store logs is hard to estimate based on user count alone, due to this, the log partition might run low on space at times. There are multiple options for reducing logging on a Smoothwall as well as tools to help you troubleshoot if excessive logging is taking place.
Checking log retention and projected space usage
The menu items in "Reports » settings » Datastore settings" shows you both how much space the different types of logs use as well as projected usage. This helps to identify what type of logs are taking up excessive amounts of space. Projected usage can help in determining the retention setting.
Note: The retention settings here are for web filter and firewall logs. System log retention is set in "Reports » Logs » Log settings"
If firewall logs are large, check if any of the Audit options have been enabled in "Networking » settings » advanced". Options for auditing should be turned off during daily use as that can generate large firewall logs.
There are a few options available to reduce the amount of logging done by the web filter. Those options can be found in the "Web proxy » web proxy » settings" by expanding the advanced section. Go to logging options and disable advert, local access and user agents. Disabling those options can reduce logging up to 5%.
Note: The option for "Proxy logging" should be disabled. This covers the Squid proxy logs, not the web filter logs. Enabling this option should only be done when troubleshooting proxy issues.
Troubleshooting excessive logging
Large logs could also be cause by devices spamming requests that get blocked by the web filter. When an application tries to update or connect to external services and that request gets blocked, often it will retry indefinitely. An indicator of this behavior can be seen on the dashboard page by looking at the top domain reports. The report showing hits will show if some domains are being accessed excessively. Run reports to see who and what is accessing those domains will give further information about what the root cause of this may be (blocked access, authentication issues etc.).
Monitoring alerts from the Smoothwall are also shown on the dashboard page. Here excessive firewall logging notifications will be shown, which can help in narrowing down the issue if the firewall logs are consuming log space.