Disk full with packet logs

bhjitsense

I enabled packet logging in Suricata several days ago. Now my disk is full and I’m pretty sure this is causing it. I wasn’t sure how to view the logs in the first place through the GUI, and I can’t access the GUI now. Where are these logs so I can delete them via shell?

viragomann

/var/log/suricata/

bhjitsense

Thanks. That took care of it.
In the GUI, is there not an easy way to view/export the .pcap files that have been logged?

bmeeks

@bhjitsense said in Disk full with packet logs:

Thanks. That took care of it.
In the GUI, is there not an easy way to view/export the .pcap files that have been logged?

No. You can see the files using DIAGNOSTICS > EDIT FILE from the pfSense menu, but there is nothing within the Suricata GUI for looking at the .pcap files. It is the admin's responsibility to either view them using some CLI tool or export them off the box over to another server for analysis with third-party tools. The PHP system of the firewall does not provide a great programming environment for opening up and viewing large files.