Suricata crash each time DNS logs are viewed



  • When in Logs View, various logs (e.g. HTTP, alerts) display properly for both interfaces in my install (WAN, and LAN). When trying to view dns.log, "Loading file..." remains, as if hung. When I check, there is always a new crash report. This happens with either interface.

    Crash report begins.  Anonymous machine information:
    
    amd64
    11.2-RELEASE-p3
    FreeBSD 11.2-RELEASE-p3 #17 e6b497fa0a3(RELENG_2_4_4): Thu Sep 20 09:04:45 EDT 2018     root@buildbot3:/crossbuild/ce-244/obj/amd64/WvDslnYb/crossbuild/ce-244/pfSense/tmp/FreeBSD-src/sys/pfSense
    
    Crash report details:
    
    PHP Errors:
    [03-Dec-2018 13:34:18 America/New_York] PHP Fatal error:  Allowed memory size of 536870912 bytes exhausted (tried to allocate 138964000 bytes) in /usr/local/www/csrf/csrf-magic.php on line 149
    [03-Dec-2018 13:34:37 America/New_York] PHP Fatal error:  Allowed memory size of 536870912 bytes exhausted (tried to allocate 138972208 bytes) in /usr/local/www/csrf/csrf-magic.php on line 149
    [03-Dec-2018 21:14:14 America/New_York] PHP Fatal error:  Allowed memory size of 536870912 bytes exhausted (tried to allocate 213442560 bytes) in /usr/local/www/suricata/suricata_logs_browser.php on line 59
    [03-Dec-2018 21:14:54 America/New_York] PHP Fatal error:  Allowed memory size of 536870912 bytes exhausted (tried to allocate 188424192 bytes) in /usr/local/www/suricata/suricata_logs_browser.php on line 59
    [03-Dec-2018 21:15:09 America/New_York] PHP Fatal error:  Allowed memory size of 536870912 bytes exhausted (tried to allocate 188440576 bytes) in /usr/local/www/suricata/suricata_logs_browser.php on line 59
    [03-Dec-2018 21:16:27 America/New_York] PHP Fatal error:  Allowed memory size of 536870912 bytes exhausted (tried to allocate 213553152 bytes) in /usr/local/www/suricata/suricata_logs_browser.php on line 59
    [03-Dec-2018 21:18:01 America/New_York] PHP Fatal error:  Allowed memory size of 536870912 bytes exhausted (tried to allocate 188645376 bytes) in /usr/local/www/suricata/suricata_logs_browser.php on line 59
    [03-Dec-2018 21:18:42 America/New_York] PHP Fatal error:  Allowed memory size of 536870912 bytes exhausted (tried to allocate 188854272 bytes) in /usr/local/www/suricata/suricata_logs_browser.php on line 59
    
    
    No FreeBSD crash data found.
    


  • @sophware

    Your log file is too large to load and display using the somewhat limited PHP memory space. The only fix for now is for you to view the log using an external tool (maybe such as the vi editor). Off the top of my head I was thinking there are some log size limits and rotation intervals available for that log fiile, but it's been a while since I've looked at that Suricata screen.

    If you see limits for that log file, make sure they are configured to keep the size down to only a few megabytes at most. That log will fill up really quickly on a busy network.



  • Thanks. That makes sense and was the response to an issue like this earlier this year, in this form.

    I didn't fail to search and respond to that post. It's just that the server is only a few days old. It's strange the log file should get that big that fast. Also, the limit on the size of the log file was 750k; and I knocked it down to 500k.



  • @sophware said in Suricata crash each time DNS logs are viewed:

    Thanks. That makes sense and was the response to an issue like this earlier this year, in this form.

    I didn't fail to search and respond to that post. It's just that the server is only a few days old. It's strange the log file should get that big that fast. Also, the limit on the size of the log file was 750k; and I knocked it down to 500k.

    That log can get quite large quickly due to the type of things it contains.

    I'm looking for a better way of displaying the contents of very large text log files within the GUI without running afoul of the PHP process memory limit.



  • @bmeeks Sounds good. Your quick replies are appreciated.

    I can now view the log. Did the 500k setting take effect right away, or did a scheduled job take place?



  • @sophware said in Suricata crash each time DNS logs are viewed:

    @bmeeks Sounds good. Your quick replies are appreciated.

    I can now view the log. Did the 500k setting take effect right away, or did a scheduled job take place?

    There is a log pruning cron task that executes periodically. I can't remember if the interval is 1 minute or 5 minutes. You probably got lucky and made the change right before the cron task's next execution cycle.