Disk usage keeps building

bmeeks

@james-0 said in Disk usage keeps building:

I guess the PHP error did not upload. This is the content of the error.

[07-Dec-2020 10:06:33 America/New_York] PHP Fatal error: Allowed memory size of 536870912 bytes exhausted (tried to allocate 2964803200 bytes) in /usr/local/www/suricata/suricata_logs_browser.php on line 54

This is an expected error when trying to read huge log files. There is not enough PHP system memory to hold the data. The PHP code tries to read the whole file into memory and then display it.

bmeeks

@james-0 said in Disk usage keeps building:

I did find a command that would show me more detail of the folders.

ls -lha /var/log/suricata/suricata_mvneta0.40918369

total 5871712
drwxr-xr-x 2 root wheel 512B Dec 7 10:15 .
drwx------ 3 root wheel 512B Dec 7 10:54 ..
-rw-r--r-- 1 root wheel 0B Dec 8 09:25 alerts.log
-rw-r--r-- 1 root wheel 2.8G Dec 7 08:43 alerts.log.2020_1207_1015
-rw-r--r-- 1 root wheel 0B Dec 8 09:25 http.log
-rw-r--r-- 1 root wheel 39M Dec 7 10:14 http.log.2020_1207_1015
-rw-r--r-- 1 root wheel 6.2K Dec 8 08:40 suricata.log

I see that the alerts log is 2.8G but when I go to Services, Suricata and click on Alerts it is empty.

This indicates that the Log Rotation process itself worked (notice the active alerts.log file was renamed to alerts.log.2020_1207_1015) and a new empty alerts.log file was created. The next phase of logs management will kick in when the renamed file ages out (in other words, it's last write date goes beyond the retention period you selected on the LOGS MGMT tab for alerts).

If you want the space back immediately, simply delete that large 2.8 GB file.

James 0

Thank you all. Before your updated comment I went to Services/Suricata/logs Mgmt and made sure Remove Suricata Logs On Package Uninstall was check. I then uninstalled Suricata and after, reinstalled it. It looks like all my settings came back and the large file logs were gone which now puts me to 19%.

I will keep an eye on this for a while.

Thank you again for all your help. I am learning a few things.

bmeeks

@james-0 said in Disk usage keeps building:

Thank you all. Before your updated comment I went to Services/Suricata/logs Mgmt and made sure Remove Suricata Logs On Package Uninstall was check. I then uninstalled Suricata and after, reinstalled it. It looks like all my settings came back and the large file logs were gone which now puts me to 19%.

I will keep an eye on this for a while.

Thank you again for all your help. I am learning a few things.

Glad you solved your issue. But please keep an eye on the log usage in that directory and post back here if the usage gets beyond the limits you configured on the LOGS MGMT tab. There are settings for how large the files can get before being rotated, and a setting for retention time that determines how long rotated files are kept on disk before they are deleted.

The other limit available on that tab up at the top sets a limit on the overall logging directory size (including the interface sub-directories contained within). That limit is configurable as a specific value set by the user, or it will automatically default to a percentage (20% or so I think it is) of disk space. However, no log file management of any type happens until the Enable checkbox is clicked on the LOGS MGMT tab and the change saved.