pfsense disk usage %109 238gib -ufs



  • hi masters ;
    I'm using pfsense 2.4.4, but my disk usage is up to 109% and many services don't work, so,
    When I check with shell command I see 238g usage in / dev / ufsid / 5c56aa7e7f88e22be folder, what is this folder and how can I clean it,
    This problem probably started to occur after I started using suricata disc did not notice the full.

    Please request your support.


  • LAYER 8 Netgate

    Probably snort or squid logs.

    If you enabled squid logs be sure you enabled rotation.

    Whatever it is should be in /var.

    This should make it obvious who the culprit is:

    du -skh /var/*

    Then see what it is and drill down from there if necessary, eg:

    du -skh /var/log/*

    The first thing I would do is take a config backup if it will let you. Or at least download one of the configs in the config history. With a full disk like that there is really no telling what didn't get written out properly. Probably not necessary but I would be tempted to reinstall with config recovery if I let a system go to zero-free like that.



  • @Derelict yes find, 237g /var/log/suricata how can i delete it?


  • LAYER 8 Netgate

    Probably something like:

    Disabling suricata
    rm -rf /var/log/suricata
    Fixing the run-away logs
    Enabling suricata

    Not exactly sure I don't have a suricata install to look at at the moment. Moved to the IDS/IPS forum to get the right eyes on it.



  • hi originated from suricata log files , also check the logs mgmt Log Directory Size Limit Log Limit Size selected in MB 3782mb default this choose and LAN interface delete ,
    solved disk usage %1 ,

    for suricata, just activate wan interface?

    thanks.



  • @torefloo said in pfsense disk usage %109 238gib -ufs:

    hi originated from suricata log files , also check the logs mgmt Log Directory Size Limit Log Limit Size selected in MB 3782mb default this choose and LAN interface delete ,
    solved disk usage %1 ,

    for suricata, just activate wan interface?

    thanks.

    It is a little hard for me to follow this response. Are you saying you resolved your issue by enabling Log Management and the Log Directory Size Limit, or do you still have a problem?

    You don't state what version of Suricata you are running, but make sure you are on the most recent version. A few versions back there was a bug that caused some log files to grow unabated.



  • @bmeeks yes enabling Log Management and the Log Directory Size Limit resolved. ,

    pfsense version 2.4.4-RELEASE-p2 this version problem suricata? and

    suricata basic configuration what do you recommend and which interface WAN , LAN both.

    thanks.



  • @torefloo sorry suricata version 4.1.4_2 .



  • The most recent version of the Suricata package is 4.1.4_3 (just posted about an hour ago). Your pfSense version is one patch level behind. Current is 2.4.4_p3.

    I usually recommend that users put Suricata (or Snort) on their LAN, especially for home networks. Doing so lets you see the addresses in alerts without NAT interfering. When you run it on the WAN, all of your local hosts in alerts will show up with the WAN's public IP address because Suricata sees traffic before NAT rules are applied.

    The only time I would put Suricata on the WAN is if you have several public facing hosts such as web servers or mail servers that you want to protect.



  • @bmeeks thanks, pfsense update Is there anything you need to pay attention to in order to update, system information available packet can i install directly on top.



  • I usually suggest deleting the package and re-installing it, especially for major updates. This update is minor and changes only one PHP file, so you can just do a re-install on the PACKAGE MANAGER tab. If a delete and then install is recommended, I will always put a warning in the package release notes.

    Suricata will retain your settings even when you delete package unless you specifically uncheck the Save Settings on De-Install checkbox on the GLOBAL SETTINGS tab. That setting is enabled by default, so you don't lose any settings when you remove the package.

    So for this update, go to the PACKAGE MANAGER tab and click the re-install icon.


Log in to reply