Huge /var/log/daemon.log

Please follow the below template, it will help us to help you!

Expected Behaviour:

smaller logs

Actual Behaviour:

/var/log/daemon.log reached 5 Gb

Debug Token:

https://tricorder.pi-hole.net/xk6hzt207v

the daemon.log file seems to contain logs for all requests

Sep 12 16:54:53 PiHole dnsmasq[22011]: reply www.nytimes.com is
Sep 12 16:54:53 PiHole dnsmasq[22011]: reply www.prd.map.nytimes.com is
Sep 12 16:54:53 PiHole dnsmasq[22011]: reply nytimes.map.fastly.net is NODATA-IPv6
Sep 12 16:54:57 PiHole dnsmasq[22011]: query[A] feeds.bbci.co.uk from 10.0.1.87
Sep 12 16:54:57 PiHole dnsmasq[22011]: forwarded feeds.bbci.co.uk to 127.0.0.1
Sep 12 16:54:57 PiHole dnsmasq[22011]: reply feeds.bbci.co.uk is
Sep 12 16:54:57 PiHole dnsmasq[22011]: reply feeds.bbci.co.uk.edgekey.net is
Sep 12 16:54:57 PiHole dnsmasq[22011]: reply e3891.f.akamaiedge.net is 92.123.185.162
Sep 12 16:54:57 PiHole dnsmasq[22011]: query[AAAA] feeds.bbci.co.uk from 10.0.1.87
Sep 12 16:54:57 PiHole dnsmasq[22011]: cached feeds.bbci.co.uk is
Sep 12 16:54:57 PiHole dnsmasq[22011]: cached feeds.bbci.co.uk.edgekey.net is
Sep 12 16:54:57 PiHole dnsmasq[22011]: cached e3891.f.akamaiedge.net is NODATA-IPv6
Sep 12 16:54:58 PiHole dnsmasq[22011]: query[AAAA] p47-keyvalueservice.icloud.com from 10.0.1.179
Sep 12 16:54:58 PiHole dnsmasq[22011]: forwarded p47-keyvalueservice.icloud.com to 127.0.0.1
Sep 12 16:54:58 PiHole dnsmasq[22011]: query[A] p47-keyvalueservice.icloud.com from 10.0.1.179
Sep 12 16:54:58 PiHole dnsmasq[22011]: forwarded p47-keyvalueservice.icloud.com to 127.0.0.1
Sep 12 16:54:58 PiHole dnsmasq[22011]: reply p47-keyvalueservice.icloud.com is
Sep 12 16:54:58 PiHole dnsmasq[22011]: reply keyvalueservice.fe.apple-dns.net is 2a01:b740:a41:102::4
Sep 12 16:54:58 PiHole dnsmasq[22011]: reply keyvalueservice.fe.apple-dns.net is 2a01:b740:a41:102::d
Sep 12 16:54:58 PiHole dnsmasq[22011]: reply keyvalueservice.fe.apple-dns.net is 2a01:b740:a41:105::9
Sep 12 16:54:58 PiHole dnsmasq[22011]: reply keyvalueservice.fe.apple-dns.net is 2a01:b740:a41:106::5
Sep 12 16:54:58 PiHole dnsmasq[22011]: reply keyvalueservice.fe.apple-dns.net is 2a01:b740:a41:106::10
Sep 12 16:54:58 PiHole dnsmasq[22011]: reply keyvalueservice.fe.apple-dns.net is 2a01:b740:a41:106::13
Sep 12 16:54:58 PiHole dnsmasq[22011]: reply keyvalueservice.fe.apple-dns.net is 2a01:b740:a41:107::f
Sep 12 16:54:58 PiHole dnsmasq[22011]: reply keyvalueservice.fe.apple-dns.net is 2a01:b740:a41:100::8
Sep 12 16:54:58 PiHole dnsmasq[22011]: reply p47-keyvalueservice.icloud.com is
Sep 12 16:54:58 PiHole dnsmasq[22011]: reply keyvalueservice.fe.apple-dns.net is 17.248.144.139
Sep 12 16:54:58 PiHole dnsmasq[22011]: reply keyvalueservice.fe.apple-dns.net is 17.248.144.176
Sep 12 16:54:58 PiHole dnsmasq[22011]: reply keyvalueservice.fe.apple-dns.net is 17.248.144.238
Sep 12 16:54:58 PiHole dnsmasq[22011]: reply keyvalueservice.fe.apple-dns.net is 17.248.144.40
Sep 12 16:54:58 PiHole dnsmasq[22011]: reply keyvalueservice.fe.apple-dns.net is 17.248.144.83
Sep 12 16:54:58 PiHole dnsmasq[22011]: reply keyvalueservice.fe.apple-dns.net is 17.248.144.105
Sep 12 16:54:58 PiHole dnsmasq[22011]: reply keyvalueservice.fe.apple-dns.net is 17.248.144.114
Sep 12 16:54:58 PiHole dnsmasq[22011]: reply keyvalueservice.fe.apple-dns.net is 17.248.144.136

We don't log to that file. Have you made any additional configuration changes or added applications?

Entirely standard. Except for cloudflared for DNS over HTTPS

The entries I posted were from daemon.log

You can try a debug run pihole -d and post the token for us to look over but we don't log to that file. Everything is set up with logrotate for the log files that we do generate.

Edit: Sorry, missed the token in the original post.

Below is from your debug log showing the files that are configured for Pi-hole to write to.

log-facility=/var/log/pihole.log

-rw-r--r-- 1 root root 234 Aug  2 18:41 /etc/pihole/logrotate
   /var/log/pihole.log {
   	su root root
   	daily
   	copytruncate
   	rotate 5
   	compress
   	delaycompress
   	notifempty
   	nomail
   }
   /var/log/pihole-FTL.log {
   	su root root
   	weekly
   	copytruncate
   	rotate 3
   	compress
   	delaycompress
   	notifempty
   	nomail
   }

Check your cloudflared configuration files.

Also, see if there are any references to this log in an other files

sudo grep daemon.log -R /etc

Edit - what is output of cat /etc/default/cloudflared

CLOUDFLARED_OPTS=--port 5053 --upstream https://1.1.1.1/dns-query --upstream https://1.0.0.1/dns-query

/etc/logrotate.d/rsyslog:/var/log/daemon.log
/etc/rsyslog.conf:daemon.* -/var/log/daemon.log

It seems dnsmasq is the culprit

Following is from daemon .log

Sep 15 12:12:55 PiHole dnsmasq[628]: forwarded lb._dns-sd._udp.localdomain to 10.0.1.1
Sep 15 12:12:55 PiHole dnsmasq[628]: query[TXT] _aaplcache2._tcp.localdomain from 10.0.1.1
Sep 15 12:12:55 PiHole dnsmasq[628]: forwarded _aaplcache2._tcp.localdomain to 10.0.1.1
Sep 15 12:12:55 PiHole dnsmasq[628]: query[TXT] _aaplcache3._tcp.localdomain from 10.0.1.1
Sep 15 12:12:55 PiHole dnsmasq[628]: forwarded _aaplcache3._tcp.localdomain to 10.0.1.1
Sep 15 12:12:55 PiHole dnsmasq[628]: query[TXT] _aaplcache._tcp.localdomain from 10.0.1.1
Sep 15 12:12:55 PiHole dnsmasq[628]: forwarded _aaplcache._tcp.localdomain to 10.0.1.1
Sep 15 12:12:55 PiHole dnsmasq[628]: query[PTR] lb._dns-sd._udp.localdomain from 10.0.1.1
Sep 15 12:12:55 PiHole dnsmasq[628]: forwarded lb._dns-sd._udp.localdomain to 10.0.1.1
Sep 15 12:12:55 PiHole dnsmasq[628]: query[PTR] lb._dns-sd._udp.0.1.0.10.in-addr.arpa from 10.0.1.1
Sep 15 12:12:55 PiHole dnsmasq[628]: forwarded lb._dns-sd._udp.0.1.0.10.in-addr.arpa to 10.0.1.1
Sep 15 12:12:55 PiHole dnsmasq[628]: query[PTR] lb._dns-sd._udp.0.1.0.10.in-addr.arpa from 10.0.1.1
Sep 15 12:12:55 PiHole dnsmasq[628]: forwarded lb._dns-sd._udp.0.1.0.10.in-addr.arpa to 10.0.1.1
Sep 15 12:12:55 PiHole dnsmasq[628]: query[TXT] _aaplcache2._tcp.localdomain from 10.0.1.1
Sep 15 12:12:55 PiHole dnsmasq[628]: forwarded _aaplcache2._tcp.localdomain to 10.0.1.1
Sep 15 12:12:55 PiHole dnsmasq[628]: query[PTR] lb._dns-sd._udp.localdomain from 10.0.1.1
Sep 15 12:12:55 PiHole dnsmasq[628]: forwarded lb._dns-sd._udp.localdomain to 10.0.1.1
Sep 15 12:12:55 PiHole dnsmasq[628]: query[PTR] lb._dns-sd._udp.0.1.0.10.in-addr.arpa from 10.0.1.1

Following is from pihole.log

Sep 15 12:25:48 dnsmasq[1845]: query[AAAA] s3-a.dualstack.eu-west-1.amazonaws. com from 10.0.1.120
Sep 15 12:25:48 dnsmasq[1845]: forwarded s3-a.dualstack.eu-west-1.amazonaws. com to 127.0.0.1
Sep 15 12:25:48 dnsmasq[1845]: query[A] s3-a.dualstack.eu-west-1.amazonaws. com from 10.0.1.120
Sep 15 12:25:48 dnsmasq[1845]: forwarded s3-a.dualstack.eu-west-1.amazonaws. com to 127.0.0.1
Sep 15 12:25:48 dnsmasq[1845]: reply s3-a.dualstack.eu-west-1.amazonaws. com is 2a05:d050:8020:7c9:34da:2558::
Sep 15 12:25:48 dnsmasq[1845]: reply s3-a.dualstack.eu-west-1.amazonaws. com is 52.218.105.42
Sep 15 12:25:52 dnsmasq[1845]: query[A] czfe147-front01-iad01.transport.home.nest. com from 10.0.1.25
Sep 15 12:25:52 dnsmasq[1845]: forwarded czfe147-front01-iad01.transport.home.nest. com to 127.0.0.1
Sep 15 12:25:52 dnsmasq[1845]: query[A] czfe147-front01-iad01.transport.home.nest. com from 10.0.1.1
Sep 15 12:25:52 dnsmasq[1845]: forwarded czfe147-front01-iad01.transport.home.nest. com to 127.0.0.1
Sep 15 12:25:52 dnsmasq[1845]: query[A] czfe147-front01-iad01.transport.home.nest. com from 10.0.1.1
Sep 15 12:25:52 dnsmasq[1845]: forwarded czfe147-front01-iad01.transport.home.nest. com to 127.0.0.1
Sep 15 12:25:52 dnsmasq[1845]: reply czfe147-front01-iad01.transport.home.nest. com is
Sep 15 12:25:52 dnsmasq[1845]: reply ec2-3-83-184-159.compute-1.amazonaws. com is 3.83.184.159
Sep 15 12:25:52 dnsmasq[1845]: reply czfe147-front01-iad01.transport.home.nest. com is
Sep 15 12:25:52 dnsmasq[1845]: reply ec2-3-83-184-159.compute-1.amazonaws. com is 3.83.184.159
Sep 15 12:25:52 dnsmasq[1845]: reply czfe147-front01-iad01.transport.home.nest. com is
Sep 15 12:25:52 dnsmasq[1845]: reply ec2-3-83-184-159.compute-1.amazonaws. com is 3.83.184.159
Sep 15 12:25:53 dnsmasq[1845]: query[AAAA] gateway.fe.apple-dns.net from 10.0.1.120

I don't know if it helps, but I ran pihole -r and one of the messages was -

[i] Existing dnsmasq.conf found... it is not a Pi-hole file, leaving alone!

Finally here is a screenshot showing the various sizes - 72 hrs after I cleared both daemon.log and pihole.log

381690×1266 435 KB

Look in /etc and /etc/dnsmasq.d folder and subfolders for a configuration file that is doing this.

File /etc/dnsmasq.conf with a standard Pi-Hole install should read as follows:

conf-dir=/etc/dnsmasq.d

In the referenced folder, 01-pihole.conf is the file installed by Pi-Hole. There may be others installed either by your or by other software.

cat README
# All files in this directory will be read by dnsmasq as
# configuration files, except if their names end in
# ".dpkg-dist",".dpkg-old" or ".dpkg-new"
#
# This can be changed by editing /etc/default/dnsmasq

cat 01-pihole.conf
# Pi-hole: A black hole for Internet advertisements
# (c) 2017 Pi-hole, LLC (https://pi-hole.net)
# Network-wide ad blocking via your own hardware.
#
# Dnsmasq config for Pi-hole's FTLDNS
#
# This file is copyright under the latest version of the EUPL.
# Please see LICENSE file for your rights under this license.

###############################################################################
#      FILE AUTOMATICALLY POPULATED BY PI-HOLE INSTALL/UPDATE PROCEDURE.      #
# ANY CHANGES MADE TO THIS FILE AFTER INSTALL WILL BE LOST ON THE NEXT UPDATE #
#                                                                             #
#        IF YOU WISH TO CHANGE THE UPSTREAM SERVERS, CHANGE THEM IN:          #
#                      /etc/pihole/setupVars.conf                             #
#                                                                             #
#        ANY OTHER CHANGES SHOULD BE MADE IN A SEPARATE CONFIG FILE           #
#                    WITHIN /etc/dnsmasq.d/yourname.conf                      #
###############################################################################

addn-hosts=/etc/pihole/gravity.list
addn-hosts=/etc/pihole/black.list
addn-hosts=/etc/pihole/local.list


localise-queries

no-resolv

cache-size=10000

log-queries
log-facility=/var/log/pihole.log

local-ttl=2

log-async

# If a DHCP client claims that its name is "wpad", ignore that.
# This fixes a security hole. see CERT Vulnerability VU#598349
dhcp-name-match=set:wpad-ignore,wpad
dhcp-ignore-names=tag:wpad-ignore
server=127.0.0.1#5353
domain-needed
bogus-priv
interface=enxb827ebf04a90

The dnsmasq.conf file is as above - just the single line
The 01-pihole.conf is also as above.
There are no other files in /etc/dnsmasq.d/

Most of the content of pihole.log is as follows - about 100 entries per second -

401934×448 81.4 KB

I am having the same exact issue. dnsmasq is similarly logging to syslog as well. @MVRLogins did you find a solution to this?

PID's (Process ID's) are different, 628 & 1845.
Almost feels like you have two DNS daemons running.
What daemons are listening ?

sudo netstat -nltup

EDIT: @McKenna_Jones, same question ?

EDIT2: And for both, whats output for below two:

lsb_release -a

sudo grep -v '^#\|^$' -R /etc/apt/sources.list* | sort

Last evening I deleted both syslog and daemon.log and restarted my Pi before bed. Since then I have not seen dnsmasq logging to either file.

Here you go @deHakkelaar:

Screenshot%20from%202019-09-19%2009-58-151591×1182 558 KB

Thanks @deHakkelaar
Here you go

032052×1184 411 KB

and

012072×430 81.8 KB

Syslog used to be ok, now that's filling up too!

This what I'm seeing - dozens or more per second

162092×966 527 KB

I think I'm just going to get a new SD card (this one is probably shot will all this writing) and reinstall pihole from scratch.

I thought I'd reboot and try one more time.

I deleted the logs - daemon, syslog and pihole, and rebooted.

Now daemon and syslog are fine but the pihole.log is full of this -

342050×530 153 KB

The PTR requests are DNS Discovery Service requests, normal network traffic.

Do you have conditional forwarding enabled?

Conditional forwarding is enabled.