pfsense, suricata and RAM disk

How-To May 1, 2020

Running pfsense on SSD requires moving /tmp and /var to memory to reduce the wear of the disk.

When I originally set up pfsense, the amount of memory I have allocated for these folders was the proposed 40MB for /tmp and 60MB for /var. All was good until this morning when no DNS query was resolved.

I took a quick look at services and found the unbound service stopped. Starting it didn't work. Apparently, there was a file missing:
/var/unbound/test/unbound_server.pem no such file or directory

Mmm, /var... Now I remembered installing suricata a few days ago, and it is known for the quantity of logs it produces. So returning to the pfsense dashboard confirmed: /var was at 101%!

I then quickly increased the memory allocated for /var and rebooted pfsense. It's all good now, unbound started! And after ssh to the firewall, found that the http.log in /var/log/suricata/suricata_igb05224 was at 21MB.

19643 20800 -rw-r--r--  1 root  wheel  21252222 May  1 11:06 http.log
19642     4 -rw-r--r--  1 root  wheel      1832 May  1 11:05 alerts.log
19641     4 -rw-r--r--  1 root  wheel      2999 May  1 10:59 suricata.log
19645     4 -rw-r--r--  1 root  wheel      4096 May  1 10:58 sid_changes.log
19644     0 -rw-r--r--  1 root  wheel         0 May  1 10:38 stats.log

Same story in the folder of the second network interface. I quickly removed the two files.

Going to Services/Suricata/Logs Management I have now checked Enable Directory Size Limit and set it's size to 24MB. As I mentioned before, I have also increased the /var RAM Disk to 200 since the system has 8GB of RAM and it's mostly unused.

Check the other files in /var/log just to be sure. And keep an eye on the /var size from now on.