How do you expand /var

stephenw10

Ah, nice!

If you're running Suricata make sire it has log rotation enabled and then there is a total log size limit set.

Steve

Stewart

@vlee There was a version of Suricata that didn't pay attention to limits and rotation. If you've been upgrading it could have been related to that depending on how long they've been sitting there and how old your versions have been. Upgrading will fix it though, and it seems like you've done that. Just make sure you have your limits and rotation on and you should be all set.

Darkk

@vlee I've had the exact same problem with the /var folder. Although I am using tmpfs in RAM to reduce the number of writes to my SSD. Turns out it was Suricata was not pruning the logs like it should. The thing is before upgrading to 22.05 (pfSense Plus) Suricata was working fine and pruning the logs as usual. After the upgrade it wasn't clearing out the logs.

So I uninstalled Suricata which removed the logs and re-installed it. I've enabled the hard limit of 2 gigs for logs so hopefully it'll fix it. If it doesn't then will have to report it as a bug for Suricata.

stephenw10

Yes, if you're running RAM disks you have to be very careful with Snort/Suricata. Really neither package is intended to be run with RAM disks.

Steve

Darkk

@stephenw10 I've personally never had an issue with it. It got a 6 gig for /var in RAM.

bmeeks

Yes, @stephenw10 is 100% correct. I am the maintainer/developer for both of the IDS/IPS packages, and use of RAM disks is not recommended for either of them. They can log a lot of information very rapidly on a busy network with lots of active rules. That can overwhelm most typical RAM disk setups.

The IDS/IPS packages really do best with spinning hard disks.

stephenw10

I will say that a 6GB RAM disk is not typical.

Darkk

@bmeeks Good point. It's got a 500 gig nvme as the boot / os drive. I could throw in an old Samsung 500 gig EVO just for logging. Will take a look at it at the next re-install.

bmeeks

@stephenw10 said in How do you expand /var:

I will say that a 6GB RAM disk is not typical.

Yeah, agree that 6GB is certainly not a "typical" RAM disk. But still, some of the Suricata EVE JSON logs can get quite large due to the sheer amount of text info that gets logged there. It does depend, though, on exactly what options the admin has enabled for EVE logging.

bmeeks

@darkk said in How do you expand /var:

@bmeeks Good point. It's got a 500 gig nvme as the boot / os drive. I could throw in an old Samsung 500 gig EVO just for logging. Will take a look at it at the next re-install.

One issue you may encounter is that the IDS/IPS packages do not offer a customizable log path option as of now. They default to /var/log. You can remap that at the OS level, of course. But it's not something you can currently do within the package itself. It is an item on my "wish list" TODO.

rcoleman-netgate

Here's the command we use in TAC to determine the largest folders in /var:

Go to Diagnostics->Command Prompt and copy/pasta the following command:

du -a /var | sort -n -r | head -n 10