Disk 109% full



  • I enabled Suricata packet logging a while back. Wasn't thinking. I don't know where these logs are stored in either the fall structure, or in the GUI. Where do I go to delete these?



  • Hi,

    Have a look at the part of the forum where packages (Suricata) is discussed.
    You'll find what your are looking for.


  • Netgate Administrator

    They are in /var/log/suricata. Stop Suricata, delete those logs.
    Go into the Suricata log management settings enable auto log management, set a directory size limit of something reasonable then re-save those settings.
    Monitor it for a few days to be sure it's rotating the logs as expected.

    Steve



  • @stephenw10 is spot on. On the LOG MGMT tab are settings for controlling the size of each active log and for retention of rotated logs.

    There is also a setting for controlling the maximum allowed size of the entire /var/log/suricata tree. Be sure to allow for some overrun when setting the size limit, though. This is because the log managment feature is handled by a cron task that runs periodically to check on and clean up logs. On a busy network, there can be a lot of log growth that happens in between the 5-minute checks the cron task performs.

    Unless you have a quite large hard disk (say at least 30 GB or more), then enabling packet logging can be dicey on a busy network. You will need to limit the log size and particularly the retention (the number of old, rotated logs/files kept on disk).


Log in to reply