To access the system logs, navigate to Status | System Logs. There are several tabs in this section, but the default tab is System. Note that different subcategories (for example, Firewall and DHCP) have their own tabs where you can view log entries related to such activity, which simultaneously makes it easier to find log activity for a specific subcategory and also reduces clutter on the System tab. The System tab is itself divided into several subcategories: General, Gateways, Routing, DNS Resolver, and Wireless.

pfSense logs are stored in such a way as to not overflow the available disk space. The logs have a binary circular log file format; these log files are a fixed size and they store a maximum of 50 entries. If the limit is reached, older log entries are overwritten by newer ones. If you want to retain these logs, you can copy them to another server with syslog.

The General tab includes entries for several different services, including pfBlocker, VPN tunnels, and Dynamic DNS. The default log order is chronological, although you can show the log entries in reverse order by clicking on the Settings tab and checking the Forward/Reverse Display checkbox. Note that there is an Advanced Log Filter section at the top of the page (this section can be expanded by clicking on the plus icon on the right of the section heading).

This section allows you to filter the log entries by several criteria: by time, process, process ID (PID), the quantity of entries displayed (the default is 50), and the message contained in the log entry. Each of these fields except for Quantity can contain a regular expression as well. To filter the logs, click on the Apply Filter button.

You can control many log settings by clicking on the Settings tab. We already mentioned the Forward/Reverse Display checkbox, which allows you to show the log entries in reverse order. The GUI Log Entries edit box allows you to control the number of log entries displayed in the GUI (but not the number of entries in the actual log files). The next option, the Log file size (Bytes) edit box, allows you to change the size of each log file. By default, each log file is approximately 500 KB. Since there are about 20 log files, the disk space used by log files by default is about 10 MB. If you want to retain more than 50 entries per log file, you can increase this number. Be aware, however, that increasing this value increases every log file size, so make sure you have enough disk space available. For example, if you specify 1,048,576 here (1 MB), the total amount of disk space used will be 20 MB, and each log will contain 100 entries.

The next subsection is Log firewall default blocks. The Log packets matched from the default block rules in the ruleset checkbox, if checked, will log packets that are blocked by the implicit default block rule. By default, all internetwork traffic is blocked, and unless traffic is explicitly allowed elsewhere, if this option is set, this blocked traffic will be logged. If the log packets matched from the default pass rules put in the ruleset are checked, pfSense will log packets that are allowed by the implicit default pass rule. Since you generally don't want to log traffic that is allowed to pass, by default this option is not checked. The Log packets blocked by 'Block Bogon Networks' rules and the Log packets blocked by 'Block Private Networks' rules checkboxes, if checked, log packets blocked by those rules.

If the Web Server Log checkbox is checked, errors from the web server process for the pfSense GUI or the captive portal will appear in the main system log. The Raw Logs checkbox, if checked, will show the logs without being interpreted by the log parser. The raw log file, though more difficult to read, can be helpful in troubleshooting as it provides detailed information that is left out in the parsed log output.

The next option is the Where to show rule descriptions drop-down box. This option allows you to show a description of the applied rule in the firewall log. The options are as follows:

• Don't load descriptions: This is the default option
• Display as column: The applied firewall rule will appear as an additional column
• Display as second row: The applied firewall rule will appear below the corresponding log entry

The Local Logging checkbox, if checked, will disable writing log files to the local disk. If you click the Reset Log Files button will clear all local log files and reinitialize them as empty logs. This will also restart the DHCP daemon. If you have made any changes to settings on this page, you should click on the Save button before clearing the log files.

The next section is the Remote Logging Options section. Checking the Enable Remote Logging checkbox allows you to send log messages to a remote syslog server. If you check this option, a number of other options will appear. The Source Address drop-down box allows you to choose to which IP address the syslog daemon will bind. The choices include each interface on your pfSense system (which normally would include at least the WAN and LAN interfaces) and localhost. If one of these options is selected, then remote syslog servers must all be of that IP type (either IPv4 or IPv6). In order to mix IPv4 and IPv6 syslog servers, select Default (any) to bind to all interfaces. Also, if an IP address cannot be located on the chosen interface, the daemon will bind to all addresses.

The IP Protocol drop-down box allows you to select the IP type of the address specified in the Source Address drop-down box. However, if an IP address of the type selected here is not found, the other type will be tried. The Remote log servers edit boxes allow you to specify the IP addresses and ports of up to three syslog servers. Finally, the Remote Syslog Contents checkboxes allow you to select what events are sent to the syslog server(s). Keep in mind that you must configure the syslog daemon on the remote server to accept syslog messages from pfSense. When you are done making changes, click on the Save button.