Suricata log browser memory error



  • When trying to read suricata logs i get this error:

    PHP Fatal error:  Allowed memory size of 536870912 bytes exhausted (tried to allocate 623090865 bytes) in /usr/local/www/suricata/suricata_logs_browser.php on line 58.
    

    Is there a way to increase the memory php is allowed to use, or is this a bug in mem alloc on suricata_logs_browser.php?



  • @idarlund:

    When trying to read suricata logs i get this error:

    PHP Fatal error:  Allowed memory size of 536870912 bytes exhausted (tried to allocate 623090865 bytes) in /usr/local/www/suricata/suricata_logs_browser.php on line 58.
    

    Is there a way to increase the memory php is allowed to use, or is this a bug in mem alloc on suricata_logs_browser.php?

    No.  This is a system-level call within the PHP source code.  You can hand-edit files if you want, but the next update will overwrite them.  Why don't you instead rotate your logs and/or copy them off someplace else to open them with another editor?  They are plaintext, so any editor can open them.  The package GUI tries to keep things simple and opens them in a modal dialog within Bootstrap, but there are some memory limitations using that approach.

    Bill



  • You can increase the PHP memory by editing /etc/inc/config.inc

    
    // Set memory limit to 512M on amd64.
    if ($ARCH == "amd64") {
    //	ini_set("memory_limit", "512M");
    	ini_set("memory_limit", "640M");
    } else {
    	ini_set("memory_limit", "128M");
    }
    
    

    You have to redo the modification when you update/upgrade pfsense as it is overwritten during the process.



  • Thanks to both of you. As you might already know; both solutions worked :)
    Maybe the php memory_limit should be a system tunable in system_advanced_sysctl.php ?



  • Using pfSense 2.4.2p1 and Suricata 4.03, I also get this error.  So I edited the /etc/inc/config.inc to allow 1024M for amd64 and rebooted.  But after I still get:

    PHP ERROR: Type: 1, File: /usr/local/www/suricata/suricata_logs_browser.php, Line: 58, Message: Allowed memory size of 536870912 bytes exhausted (tried to allocate 625753393 bytes)

    This is the section from my config.inc:
    // Set memory limit to 512M on amd64.
    if ($ARCH == "amd64") {
    ini_set("memory_limit", "1024M");
    } else {
    ini_set("memory_limit", "128M");
    }

    Server has 48 Gig of memory so should be no problem right?
    Is this memory setting moved somewhere else now for Suricata?



  • @RichH:

    Using pfSense 2.4.2p1 and Suricata 4.03, I also get this error.  So I edited the /etc/inc/config.inc to allow 1024M for amd64 and rebooted.  But after I still get:

    PHP ERROR: Type: 1, File: /usr/local/www/suricata/suricata_logs_browser.php, Line: 58, Message: Allowed memory size of 536870912 bytes exhausted (tried to allocate 625753393 bytes)

    This is the section from my config.inc:
    // Set memory limit to 512M on amd64.
    if ($ARCH == "amd64") {
    ini_set("memory_limit", "1024M");
    } else {
    ini_set("memory_limit", "128M");
    }

    Server has 48 Gig of memory so should be no problem right?
    Is this memory setting moved somewhere else now for Suricata?

    If you let your logs get very large, the viewing in the GUI is just not going to work.  The PHP process that the GUI runs within has limits on the amount of memory a given PHP session can consume.  This is set during boot-up time by pfSense.

    If you have a busy network and large log files, I strongly recommend copying them off to another host running an application designed to parse IDS/IPS logs.  There have been some suggestions by users here on the forum. I don't currently have a recommendation as my home network does not generate large logs and the normal rotation logic within the package keeps my logs files of manageable size.

    Bill



  • Thanks Bill, that is probably my issue.