Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata Alerts Tab Error

    Scheduled Pinned Locked Moved IDS/IPS
    7 Posts 3 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      newUser2pfSense
      last edited by

      For the longest time I was having no problems when I went to the Services > Suricata > Alerts tab where I would select the "Download" button and download the Suricata Alerts tar.gz file. However, yesterday the tar.gz download file began to be 0 bytes in size and I began receiving the following error message:

      pfSense has detected a crash report or programming bug. Click here for more information.

      Crash report begins. Anonymous machine information:

      amd64
      11.2-RELEASE-p4
      FreeBSD 11.2-RELEASE-p4 #2 b00c407ba5d(RELENG_2_4_4): Mon Nov 26 11:41:48 2018 root@buildbot2.nyi.netgate.com:/build/ce-crossbuild-244/obj/amd64/ZfGpH5cd/build/ce-crossbuild-244/pfSense/tmp/FreeBSD-src/sys/pfSense

      Crash report details:

      PHP Errors:
      [12-Dec-2018 16:44:00] PHP Fatal error: Allowed memory size of 536870912 bytes exhausted (tried to allocate 247265600 bytes) in /usr/local/www/csrf/csrf-magic.php on line 149

      No FreeBSD crash data found.

      Anyone have any ideas why this error has started to occur and how to fix it? Any suggestions would be helpful. Thank you.

      bmeeksB 1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks @newUser2pfSense
        last edited by bmeeks

        @newuser2pfsense your alerts file is too large. What version of Suricata are you running, and do you have the LOG MGMT options enabled to trim and rotate your alerts log?

        There was a problem with log file rotation, but it was fixed in the latest 4.0.13_9 version of the package.

        For an immediate fix, all you can do is copy off the alert log file manually via SCP or a similar method (it will be in a subdirectory under /var/log/suricata named with the physical interface in the name). After that, truncate the existing log file.

        1 Reply Last reply Reply Quote 0
        • N
          newUser2pfSense
          last edited by newUser2pfSense

          hi Bill...I'm currently using Suricata version 4.0.13_11. I've included a partial image of my LOG MGMT settings (I couldn't get the entire screen); they are default as I haven't made any changes.
          0_1544738792659_log mgmt.png

          Would you have a recommendation for my log management settings to trim/rotate my logs so I can download them without worrying about the error?

          The Services > Suricata > Alerts tab has a Clear button, however, when I click it, only the logs that are displayed are cleared, not from the path you provided. How would I truncate the existing log file? Thanks.

          Update - The tar.gz log file I was able to download before this issue occurred was 56.2 MB in size and when uncompressed was 1652 files at 1.2 GB. I SSHd into my pfSense computer to the directory you provided for the Suricata log files and removed several that I had already worked with - I didn't need to download them again. After deleting those log files, I was left with just under 600 files in the directory. I restarted pfSense and went back to the Alerts tab and clicked the Download button once more. I received another 0 byte tar.gz file with no log files in it and the same error message.

          bmeeksB S 2 Replies Last reply Reply Quote 0
          • bmeeksB
            bmeeks @newUser2pfSense
            last edited by

            @newuser2pfsense
            The download of those gzip archives over HTTP has been a pain to maintain. For some reason the code requirements on the PHP side seem to change now and then with updates to the underlying libraries. For instance, code that has worked for months (and sometimes a couple of years) will suddenly stop allowing the downloads to be sucessful even though that PHP code has not been touched.

            I suspect something similar may be going on again. Been a while since I've tested that and PHP has been updated recently in pfSense to 7.2 from the 5.x version. Don't know if that has something to do with it or not.

            I'm working on updating Suricata to use the new 4.1.0 binary. I will look at this bug as part of the package update.

            1 Reply Last reply Reply Quote 0
            • N
              newUser2pfSense
              last edited by

              Thanks Bill. Your help is greatly appreciated.

              1 Reply Last reply Reply Quote 0
              • S
                SteveITS Galactic Empire @newUser2pfSense
                last edited by

                @bmeeks perhaps you can clarify for me...if Auto Log Management is checked, but Log Directory Size Limit is unchecked, the logs still get rotated? I guess I have assumed that "...of Suricata logs using parameters specified below" needed Log Directory Size Limit checked. But perhaps that is just a secondary reason to rotate the logs besides the "14 days" retention shown?

                Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                Upvote 👍 helpful posts!

                bmeeksB 1 Reply Last reply Reply Quote 0
                • bmeeksB
                  bmeeks @SteveITS
                  last edited by

                  @teamits
                  Yes, log rotation is independent of the Directory Size Limit setting. The Directory Size Limit is a safety valve designed to prevent firewall DOS caused by running the system out of disk space due to growth of IDS/IPS logs. So if the Directory Size Limit value is reached, and the setting is Enabled, then logs are cleaned up until space drops down below the limit.

                  Log Rotation is a slightly different animal. When Log Rotation is enabled, every 5 minutes a cron task executes that examines the configured log files to see if they have reached the rotation size limit. If reached, that log file is rotated. At the end of the log rotation script it checkes the ages of rotated logs and removes those older than the configured retention interval.

                  So you can enable Directory Size Limit protection and leave Log Rotation and Aging disabled; or you can disable Directory Size Limit protection but enabled Log Rotation and Aging.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.