Recently got an Orange Pi Zero and installed Armbian on it. Successfully installed Pihole and it's been running great for a while but when checking the web dashboard today it was empty.
After a bit of troubleshooting I found that the problem is that /var/log/ is full (seems like Armbian uses log2ram for /var/log/ and sets it to 50M). After deleting pihole.log.1 the dashboard works as before.
Now I'm wondering what the best solution to this is. Limit log file size? Mount /var/log/ to sdcard? I'm new to Linux so please excuse my ignorance.
I'am also use log2ram and have no problems
df -h gives
log2ram 60M 6.9M 54M 12% /var/log
My log2ram is 60 MB but 50 Mb is enough. 12% is used and I never delete files manually.
You have to look for big logfiles in /var/log and delete them. Maybe the installation logfiles or a file with a lot of errors (f.i. a locked database or file). Solve that error and delete that logfile.
50 MB is enough for the pihole
The only files taking up any notable space in /var/log is pihole.log and pihole.log.1 at about 25 Mb each. My PiHole installation is "out-of-the-box" with standard settings. Is there a limit to log file size I should set somewhere?
I also have done a out-of-the-box installation with standard settings. I only filter the IP6 queries in the FTL reports (in pihole-FTL.conf setting AAAA_QUERY_ANALYSIS=no). But this has nothing to do with the pihole logfile.
In my situation, the Pihole logfile is 1.2 GB for about 2850 queries/24 hrs.
That means in your situation about 60.000 queries a day??
I agree with the observation of @eejeel concerning log size. Something seems to be really out-of-order with your log. Most likely you have a device in your network that is querying something like hell, can this be the case? Looking at your Top Clients table (on the dashboard) do you see a client that is standing out?
As I deleted the logs I could not check at the time, but now it's been running for 24h hours and yes, I have a device that is querying like hell. I have a Raspberry Pi running Kodi and the Twitch plugin is querying an insane amount when watching streams (60k+ last 24h). It's using HLS and is querying different ****.hls.ttvnw.net-domains constantly. I guess that's the nature of HLS.
Any idea how to handle this properly? Is it possible to omit this domain range from the log? Or make a script that automatically deletes them from the log? Also thank you for the input.
What is HLS? You haven't written out what the abbreviation means and Wikipedia is suggesting a hell of a lot for it (e.g. Harvard Law School)...
No, I think there is not really anything you can do about it. You could, of course, write a script that removes these lines periodically from the log and thereby save disk space, but FTL will still analyze them and put them in the long-term database for you. Interestingly, you are the first one to report this.
Sorry, it's HTTP Live Streaming. I don't know much about it but this part on Wikipedia seems relevant:
It resembles MPEG-DASH in that it works by breaking the overall stream into a sequence of small HTTP-based file downloads, each download loading one short chunk of an overall potentially unbounded transport stream.
Sounds like this might mean trouble for use with Pihole. My kodi log entries looks like this:
16:25:29.130 T:1473766384 INFO: ffmpeg[57D7E3F0]: [hls,applehttp] Opening 'https://video-edge-c681d8.arn03.hls.ttvnw.net/v1/segment/CtgCsTZ1tvspmlCBOETskg3aQiLZHtH1lGELC92TQkVBGOiRF8ZrO6PCWbgS0XzedjcM9Hrte1gvs_r473OC5G3_G8CSOZfrjIqVZPvETdcV_FAu9DKrYidusrY3OplCSpgtCmIujvtKnUByYs1QMkOeo7tkvkH50EFBc10j2tqPqg9dgEXmVEzA0Nu45QN320vCFZC6sdp4PRUycb6AQwnll0ZbrNKOEpDK4Tnu8kJiGSRrZJye4qBpEBUk_LZjQ2xlroRl1Zqw_x4xSJ_A8wvj0wSZnLUxYgsNrlRvF_WLPgYBPCvoBVZMhy-2j9hVY74gVvISLhl5NXPlVzQr52kNxRdWv21M2ju9Q-kOtvOBWt589wTio8gUkwWxYs6jQWjGU2FdeZLO84dQr3lJoDn_4gHPlpBMI-KrdrZft_X90HakR_d0tCHBbcHZdAonrYKfWdr3KmzgkA8SEHw6V09MaVgMpMhmuxEW8XQaDEvs4ZhGqmXvnZzuNw.ts' for reading
16:25:31.396 T:1473766384 INFO: ffmpeg[57D7E3F0]: [hls,applehttp] Opening 'https://video-edge-c681d8.arn03.hls.ttvnw.net/v1/segment/CtgChq3cFGlGfLDoFdAGDJ5BM822rueZ0GhRk_EJQjy3bAs1uYOdfK2IqULQFauLaNnQ5vcY_Zj8AWt7AGALfue_ngipke-3rbupRxyPz05p9_ipJwQWNuQfg64bizAjqyaoSNyEksSaHS0YX7IsCxsq4McUS-BTyFKWQK6TZr6MW-A-piEks8YhAlbpIkcZRbSZsIiaAa9yaXZkndtw9cUITT1fe4Psp6R_COGJEVSeoMOWNYc4k5f9ozDDyOJV511Qh-JCCumQRFgvex2PxJB1FxnBr66r6hBB78wWBG2r2ZvluOHj1zb18s-Mh1tYqqnVyk9J0EKRy9y-V_A7J-ssVXXXdbmsvV5eeN5HvrUD6f0lclWkuvIQAz3yrR77NrTzuqFWhZPh8DZJN_RdsmgdZHwYIdVrLdg8kjtG5Qx5PFoVWTSTwS1rZG253D6flaqrH2E2VdOkG7QSEPmzJ1WF5PIfuVPmA7qxO94aDBAQB-z0ZQW1Vl8_7w.ts' for reading
It seems there's a DNS query for each of these. I'm not sure if that's normal or if there's a malfunction within the add-on or Kodi. Either way it doesn't have anything to do with Pihole.
I don't really mind if these entires are put into the long-term database but the acute problem is them filling up pihole.log. I'll try to figure out how to make a script that deletes these entries.
I'd strongly advise to open a bug report on the add-on project as this behavior, firing DNS requests like hell, is absolutely crazy. Even though it may go unnoticed in networks where DNS requests are not supervised, it is an unbelievable amount of wasted bandwidth and certainly will start to limit the upstream providers performance if only enough people would use it....
Although this will be only a short-term fix, you should really consider getting the problem itself (with the add-on) resolved.
I actually already did and the dev recently responded. It seems like this is normal behaviour (and the nature of HLS) but the "issue" is that the OS in this case (OSMC) does not cache DNS locally. I installed Kodi on my Windows machine to test this and there was only a single request instead of continuous ones. So the solution seems to be to setup local DNS caching on the Raspberry Pi, if I can figure out how to. In the meantime I've bypassed Pihole, but yes, as you say, it's not a healthy behaviour.
The OS usually doesn't do it at all. You caould install dnsmasq locally on the Kodi machine and it should do the caching for you with default settings.
Another solution though not 100% sure if works but if you know the domains that are queried and they are always the same ones, you can put them in the "/etc/hosts" file on the Kodi box.
If the Kodi box wants to lookup a domain, its supposed to look at the hosts file first before querying any DNS servers.
That way you dont need to install dnsmasq on the Kodi box and it doesnt query DNS anymore for those hosts file entries.
I have since solved the issue and in the unlikely case that anyone else encounters the same issue the solution (well, one solution anyway) was to enable local DNS cache. For OSMC this is done very simply by editing the file /etc/connman.prefs and changing dnsproxy=no to dnsproxy=yes
This doesn't stop the requests completely but drastically reduces the amount. For example I've had 15k hits so far in January (20 days), instead of 60k+ a day.