Disk 109% full
-
I enabled Suricata packet logging a while back. Wasn't thinking. I don't know where these logs are stored in either the fall structure, or in the GUI. Where do I go to delete these?
-
Hi,
Have a look at the part of the forum where packages (Suricata) is discussed.
You'll find what your are looking for. -
They are in /var/log/suricata. Stop Suricata, delete those logs.
Go into the Suricata log management settings enable auto log management, set a directory size limit of something reasonable then re-save those settings.
Monitor it for a few days to be sure it's rotating the logs as expected.Steve
-
@stephenw10 is spot on. On the LOG MGMT tab are settings for controlling the size of each active log and for retention of rotated logs.
There is also a setting for controlling the maximum allowed size of the entire /var/log/suricata tree. Be sure to allow for some overrun when setting the size limit, though. This is because the log managment feature is handled by a cron task that runs periodically to check on and clean up logs. On a busy network, there can be a lot of log growth that happens in between the 5-minute checks the cron task performs.
Unless you have a quite large hard disk (say at least 30 GB or more), then enabling packet logging can be dicey on a busy network. You will need to limit the log size and particularly the retention (the number of old, rotated logs/files kept on disk).
