pfsense, suricata and RAM disk
Running pfsense on SSD requires moving /tmp and /var to memory to reduce the wear of the disk.
When I originally set up pfsense, the amount of memory I have allocated for these folders was the proposed 40MB for /tmp and 60MB for /var. All was good until this morning when no DNS query was resolved.
I took a quick look at services and found the unbound service stopped. Starting it didn't work. Apparently, there was a file missing:
/var/unbound/test/unbound_server.pem no such file or directory
Mmm, /var... Now I remembered installing suricata a few days ago, and it is known for the quantity of logs it produces. So returning to the pfsense dashboard confirmed: /var was at 101%!
I then quickly increased the memory allocated for /var and rebooted pfsense. It's all good now, unbound started! And after ssh to the firewall, found that the http.log in /var/log/suricata/suricata_igb05224 was at 21MB.
19643 20800 -rw-r--r-- 1 root wheel 21252222 May 1 11:06 http.log
19642 4 -rw-r--r-- 1 root wheel 1832 May 1 11:05 alerts.log
19641 4 -rw-r--r-- 1 root wheel 2999 May 1 10:59 suricata.log
19645 4 -rw-r--r-- 1 root wheel 4096 May 1 10:58 sid_changes.log
19644 0 -rw-r--r-- 1 root wheel 0 May 1 10:38 stats.log
Same story in the folder of the second network interface. I quickly removed the two files.
Going to Services/Suricata/Logs Management I have now checked Enable Directory Size Limit and set it's size to 24MB. As I mentioned before, I have also increased the /var RAM Disk to 200 since the system has 8GB of RAM and it's mostly unused.
Check the other files in /var/log just to be sure. And keep an eye on the /var size from now on.