Suricata Alerts Tab Error

  • For the longest time I was having no problems when I went to the Services > Suricata > Alerts tab where I would select the "Download" button and download the Suricata Alerts tar.gz file. However, yesterday the tar.gz download file began to be 0 bytes in size and I began receiving the following error message:

    pfSense has detected a crash report or programming bug. Click here for more information.

    Crash report begins. Anonymous machine information:

    FreeBSD 11.2-RELEASE-p4 #2 b00c407ba5d(RELENG_2_4_4): Mon Nov 26 11:41:48 2018

    Crash report details:

    PHP Errors:
    [12-Dec-2018 16:44:00] PHP Fatal error: Allowed memory size of 536870912 bytes exhausted (tried to allocate 247265600 bytes) in /usr/local/www/csrf/csrf-magic.php on line 149

    No FreeBSD crash data found.

    Anyone have any ideas why this error has started to occur and how to fix it? Any suggestions would be helpful. Thank you.

  • @newuser2pfsense your alerts file is too large. What version of Suricata are you running, and do you have the LOG MGMT options enabled to trim and rotate your alerts log?

    There was a problem with log file rotation, but it was fixed in the latest 4.0.13_9 version of the package.

    For an immediate fix, all you can do is copy off the alert log file manually via SCP or a similar method (it will be in a subdirectory under /var/log/suricata named with the physical interface in the name). After that, truncate the existing log file.

  • hi Bill...I'm currently using Suricata version 4.0.13_11. I've included a partial image of my LOG MGMT settings (I couldn't get the entire screen); they are default as I haven't made any changes.
    0_1544738792659_log mgmt.png

    Would you have a recommendation for my log management settings to trim/rotate my logs so I can download them without worrying about the error?

    The Services > Suricata > Alerts tab has a Clear button, however, when I click it, only the logs that are displayed are cleared, not from the path you provided. How would I truncate the existing log file? Thanks.

    Update - The tar.gz log file I was able to download before this issue occurred was 56.2 MB in size and when uncompressed was 1652 files at 1.2 GB. I SSHd into my pfSense computer to the directory you provided for the Suricata log files and removed several that I had already worked with - I didn't need to download them again. After deleting those log files, I was left with just under 600 files in the directory. I restarted pfSense and went back to the Alerts tab and clicked the Download button once more. I received another 0 byte tar.gz file with no log files in it and the same error message.

  • @newuser2pfsense
    The download of those gzip archives over HTTP has been a pain to maintain. For some reason the code requirements on the PHP side seem to change now and then with updates to the underlying libraries. For instance, code that has worked for months (and sometimes a couple of years) will suddenly stop allowing the downloads to be sucessful even though that PHP code has not been touched.

    I suspect something similar may be going on again. Been a while since I've tested that and PHP has been updated recently in pfSense to 7.2 from the 5.x version. Don't know if that has something to do with it or not.

    I'm working on updating Suricata to use the new 4.1.0 binary. I will look at this bug as part of the package update.

  • Thanks Bill. Your help is greatly appreciated.

  • @bmeeks perhaps you can clarify for me...if Auto Log Management is checked, but Log Directory Size Limit is unchecked, the logs still get rotated? I guess I have assumed that "...of Suricata logs using parameters specified below" needed Log Directory Size Limit checked. But perhaps that is just a secondary reason to rotate the logs besides the "14 days" retention shown?

  • @teamits
    Yes, log rotation is independent of the Directory Size Limit setting. The Directory Size Limit is a safety valve designed to prevent firewall DOS caused by running the system out of disk space due to growth of IDS/IPS logs. So if the Directory Size Limit value is reached, and the setting is Enabled, then logs are cleaned up until space drops down below the limit.

    Log Rotation is a slightly different animal. When Log Rotation is enabled, every 5 minutes a cron task executes that examines the configured log files to see if they have reached the rotation size limit. If reached, that log file is rotated. At the end of the log rotation script it checkes the ages of rotated logs and removes those older than the configured retention interval.

    So you can enable Directory Size Limit protection and leave Log Rotation and Aging disabled; or you can disable Directory Size Limit protection but enabled Log Rotation and Aging.

Log in to reply