Snort fills up disk with logs, Dashboard goes bye bye, interfaces lose their minds



  • v2.4.4. For the second time now Snort alerts have hammered the drive and filled it up to capacity. I manage to remove older logs but I have two issues at hand. The first is that when this occurs, the Dashboard disappears. It just shows the menu at the top, then "Status/Dashboard" and nothing else. Bonus, the Snort option also disappears from the menu. I have gone into the console and restarted the webConfigurator and the php-fpm process but it doesn't resolve the issue. The results are consistent across multiple browsers. The only way to get everything back to normal is to reboot the system which isn't idea but it gets the job done, sorta. Read below. Is there another way to work around this issue if it happens again?

    The reason I ask is because the Snort Log MGMT settings page is goofy at best. It doesn't seem to obey the Log Directory Size config parameter and often reverts back to some funky value like -1819 or something.

    Lastly, usually when I manage to reboot the system it boots up and acts like it has lost all interface configurations. It was hang indefinitely at the point in the attached image. And even if I go through hand resetting everything, the LAN interface rarely comes back on net. It gets limited ARP information and is not pingable from most systems on the network. In all the times this has happened, I really just end up factory resetting the system and quickly rebuilding it.

    alt text



  • This is Snort 4.0 default, and values might be different from yours...did you changed yours?

    Screen Shot 2020-03-18 at 8.03.44 PM.png


  • Netgate Administrator

    Enable a log directory size limit as well as log sizes to be sure duplicate files don't fill the drive.

    Steve


Log in to reply