Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata crash each time DNS logs are viewed

    IDS/IPS
    2
    6
    629
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sophware
      last edited by

      When in Logs View, various logs (e.g. HTTP, alerts) display properly for both interfaces in my install (WAN, and LAN). When trying to view dns.log, "Loading file..." remains, as if hung. When I check, there is always a new crash report. This happens with either interface.

      Crash report begins.  Anonymous machine information:

amd64
11.2-RELEASE-p3
FreeBSD 11.2-RELEASE-p3 #17 e6b497fa0a3(RELENG_2_4_4): Thu Sep 20 09:04:45 EDT 2018     root@buildbot3:/crossbuild/ce-244/obj/amd64/WvDslnYb/crossbuild/ce-244/pfSense/tmp/FreeBSD-src/sys/pfSense

Crash report details:

PHP Errors:
[03-Dec-2018 13:34:18 America/New_York] PHP Fatal error:  Allowed memory size of 536870912 bytes exhausted (tried to allocate 138964000 bytes) in /usr/local/www/csrf/csrf-magic.php on line 149
[03-Dec-2018 13:34:37 America/New_York] PHP Fatal error:  Allowed memory size of 536870912 bytes exhausted (tried to allocate 138972208 bytes) in /usr/local/www/csrf/csrf-magic.php on line 149
[03-Dec-2018 21:14:14 America/New_York] PHP Fatal error:  Allowed memory size of 536870912 bytes exhausted (tried to allocate 213442560 bytes) in /usr/local/www/suricata/suricata_logs_browser.php on line 59
[03-Dec-2018 21:14:54 America/New_York] PHP Fatal error:  Allowed memory size of 536870912 bytes exhausted (tried to allocate 188424192 bytes) in /usr/local/www/suricata/suricata_logs_browser.php on line 59
[03-Dec-2018 21:15:09 America/New_York] PHP Fatal error:  Allowed memory size of 536870912 bytes exhausted (tried to allocate 188440576 bytes) in /usr/local/www/suricata/suricata_logs_browser.php on line 59
[03-Dec-2018 21:16:27 America/New_York] PHP Fatal error:  Allowed memory size of 536870912 bytes exhausted (tried to allocate 213553152 bytes) in /usr/local/www/suricata/suricata_logs_browser.php on line 59
[03-Dec-2018 21:18:01 America/New_York] PHP Fatal error:  Allowed memory size of 536870912 bytes exhausted (tried to allocate 188645376 bytes) in /usr/local/www/suricata/suricata_logs_browser.php on line 59
[03-Dec-2018 21:18:42 America/New_York] PHP Fatal error:  Allowed memory size of 536870912 bytes exhausted (tried to allocate 188854272 bytes) in /usr/local/www/suricata/suricata_logs_browser.php on line 59


No FreeBSD crash data found.
      bmeeksB 1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks @sophware
        last edited by

        @sophware

        Your log file is too large to load and display using the somewhat limited PHP memory space. The only fix for now is for you to view the log using an external tool (maybe such as the vi editor). Off the top of my head I was thinking there are some log size limits and rotation intervals available for that log fiile, but it's been a while since I've looked at that Suricata screen.

        If you see limits for that log file, make sure they are configured to keep the size down to only a few megabytes at most. That log will fill up really quickly on a busy network.

        1 Reply Last reply Reply Quote 0
        • S
          sophware
          last edited by

          Thanks. That makes sense and was the response to an issue like this earlier this year, in this form.

          I didn't fail to search and respond to that post. It's just that the server is only a few days old. It's strange the log file should get that big that fast. Also, the limit on the size of the log file was 750k; and I knocked it down to 500k.

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @sophware
            last edited by

            @sophware said in Suricata crash each time DNS logs are viewed:

            Thanks. That makes sense and was the response to an issue like this earlier this year, in this form.

            I didn't fail to search and respond to that post. It's just that the server is only a few days old. It's strange the log file should get that big that fast. Also, the limit on the size of the log file was 750k; and I knocked it down to 500k.

            That log can get quite large quickly due to the type of things it contains.

            I'm looking for a better way of displaying the contents of very large text log files within the GUI without running afoul of the PHP process memory limit.

            S 1 Reply Last reply Reply Quote 0
            • S
              sophware @bmeeks
              last edited by

              @bmeeks Sounds good. Your quick replies are appreciated.

              I can now view the log. Did the 500k setting take effect right away, or did a scheduled job take place?

              bmeeksB 1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks @sophware
                last edited by

                @sophware said in Suricata crash each time DNS logs are viewed:

                @bmeeks Sounds good. Your quick replies are appreciated.

                I can now view the log. Did the 500k setting take effect right away, or did a scheduled job take place?

                There is a log pruning cron task that executes periodically. I can't remember if the interval is 1 minute or 5 minutes. You probably got lucky and made the change right before the cron task's next execution cycle.

                1 Reply Last reply Reply Quote 1
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.