It looks like the problem with log entries beeing lost is still there, after updating to 2.4. But it mannifests itself in a different manner than in the previous version. As you know, in 2.3.6.81, only the entries from the current session were sometimes lost after the shutdown, those that were already saved, remained intact.
Now, sometimes, every single log entry disapears! It happened to me twice. And I’m not sure it is related to rebooting/shutdown. I have to test this…
I’ve set the log size to 25MB, and most Network rules are beeing logged.
I notice the same. However, there should be a backup in a text file located at C:\Documents and Settings\All Users\Application Data\Comodo\Personal Firewall\Logs
Yes, this business with logs can be very annoying ;D
(:NRD)
Anyway, I think I discovered the mechanism behind the missing log. I’ll try to explain.
The log is written in the logs.log file with fixed size (in my case 25MB - you can change that, of course). When this limit is reached, this file gets overwritten and starts from scratch, instead of new entries overwrite the old ones, keeping the same size of this file. That causes loss of all the entries.
One thing I don’t understand, how could I fill 25MB of logs in just a few hours. The last time I’ve lost logs was tonight at 22:48 , and it happened again a few moments ago. There were not many entries in that time, certanly not 25MB worth. I have the html export, but not the logs.log itself
I will keep monitoring and will post back the results.
Sorry if this wasn’t very clear, but, as you can see, English is not my native language, and it’s allready passed 3 am ;D
A couple things to keep in mind, with the size of the logs…
By default, CFP blocks IGMP, some types of ICMP, etc. In addition, if you’re on a network or behind a router, certain In traffic may be generated by that source. All these will be implicitly blocked by the bottom block & log all rule.
If you have a lot of these type of alerts, that creates a lot of “buzz” in the logs. Whether it would account for 25M, is another question. You can always create some Block rules specifically for these types of traffic, and set them not to create alerts (ie, log entries). Place them above that bottom block & log rule, and reboot. This will cause those unnecessary traffic items to be blocked explicitly (rather than implicitly) and not log them, thus reducing the size of your logs.
At any rate, if you were being hacked, there’d probably be a log entry… ;D
But this doesn’t solve the main problem, and this is the fact that all the log entries are being lost when the size of the log file reaches its maximal allowed size.
I don’t know, maybe it’s just me, maybe it was meant to be this way… but then, what is the point of logging if I’m going to lose it once the limit is reached?
Hmm, yes, good point. I understand setting a log limit, but the mechanics of it do seem a bit odd. Perhaps even better would be an option to create a backup of the log (by user prompt, or something) when it hits the limit, before it over-writes or recreates.
Rest assured, the Comodo team is present in the forums, and have probably seen this topic. Might take a few days, though, for them to catch up after all the website upgrades…
Exactly my thoughts just now :). But what if the user takes a long time to think during the prompt, meanwhile there’s a slew of log entries in the background? What happens to this pending group?
Okay, maybe not a user prompt, keeping slow-thinkers, slow-responders in mind…
Perhaps an option (where the current size of the logfile is set) that the user can check to automatically create backups when overwriting/rewriting the logfile.
In my opinion, the best way to manage logs would be something like the Windows Event logs, where the old entries are getting replaced with the new ones (as soyabeaner said a few posts earlier).
Well, the folks from Comodo had certanly deserved a break, after all the hard work they’ve done.
(V)
I also confirm the disappearance of CFP Log entries. After several days of trying to figure out when the entries actually disappear, I’ve failed. It isn’t on re-boot/start-up that’s for sure. I’ve seen entries disappear 4 times now, each time my system had been up & running for many hours. Each time they disappeared before my eyes when I moved the date selector (Today, Last 7 Days & Last 30 Days).
So, far I’ve tried 5MB, 25MB & 50MB. All have had disappearing Log entries. Of course, if CFPs Log is unbeknown to me going above those limits… well 50MB is surely too big to loose entries that are less than 1.5 hours old.
I also noted the apparent CFP Log file (which someone else spotted as well)… came up on a defrag report… which had loads of entries that I was not specifically aware of. However, IMHO, it would be incorrect to include non-visible Log entries as part of the Log size limit.
I notice this since 2.3 when all 4 monitor logs are disabled.
Sure, I noticed that with 2.4 as well. But, that’s not what causing the disappearances… I played with those options to no avail. The Log entries are really gone.
BTW Is Feedback/Comments the correct place for this topic?
If you open the log file you should be able to “see” invisible entries or lines by highlighting spaces. If they’re not there it could mean that CFP doesn’t record them.
The Help board is more appropriate for this thread.
I assume you mean the logs.log file… I don’t find looking at that file terribly useful since the date/time is in hex. However, it is tiny (111KB currently). I’m still having trouble believing that file hit 25MB (what I normally have the Log file size set to).
I’ll move this topic to the Help section… stand-by.
