Suricata Logs grow over limitation

Suricata_Cap

Hello together,

I hope this is the right place for this topic.
I administrate several pfsense Firewalls, for intrusion detection I use Suricata with Snort subscription.
Now I have an unpleasant problem with these firewalls, their hard drives are running full of Suricata logs.
I have limited the log sizes to 100MB in the Suricata menu "Logs Mgmt".
This didn't stop Suricata from writing the whole disk full.
I also set the "Captured Files Storage Limit" to 60MB, that didn't help either.
What do I have to do to limit the Suricata logs?

Best regards

bmeeks

What version of the Suricata package are you running, and on what version of pfSense?

Older editions had a bug in the log rotation and management code that led to the kinds of problems you are describing.

The current Suricata package version is 6.0.3_3. But unless you are running the most current version of pfSense for your platform, DO NOT update the Suricata package! Doing that will break the firewall! If a new version of pfSense is showing, update it first, then update Suricata last.

Suricata_Cap

Hi, thanks for you answer.
So one of the Firewalls where this was heppening have pfSense version: 21.05 with Suricata version 6.0.0_12 and another Firewall have pfSense version 21.02.2 also with Suricata version 6.0.0_12. So my steps should be update pfsense to the highest point and after that I update Suricata to 6.0.3_3?

bmeeks

@suricata_cap said in Suricata Logs grow over limitation:

Hi, thanks for you answer.
So one of the Firewalls where this was heppening have pfSense version: 21.05 with Suricata version 6.0.0_12 and another Firewall have pfSense version 21.02.2 also with Suricata version 6.0.0_12. So my steps should be update pfsense to the highest point and after that I update Suricata to 6.0.3_3?

Yes, my recommendation would be to first update both firewalls to the latest 21.05.1 pfSense+ version. Then update the Suricata package to the latest version, which is 6.0.3_3.

The new Suricata package should take care of your disk space consumption, but you still might want to keep tabs on the utilization. Unfortunately the Suricata binary does not offer the same built-in log size limit and rotation options as the Snort binary, so that means external cron tasks are used by the GUI code to manage the logs. That is not always seamless ... .

Suricata_Cap

@bmeeks I will try that out and let you know how it went, thank you again for your Answer! <3
One more question if you allow: I had the problem when I installed Suricata on all the Firewalls that the I cant installed the latest Suricata version on all Firewalls. Old versions were often displayed as the currently available version, what can I do about that?

Gertjan

@suricata_cap

See here pfSense Plus Software Version 21.05.1 is Now Available for Upgrades.

You'll find :

Once the firewall detects that an upgrade is available, do not update packages before initiating the upgrade! Either remove all packages or do not update packages before running the upgrade.

This implies ; when pfSense has an upgrade, upgrade pfSense first. Then you'll find the most recent packages.

bmeeks

To expand a bit upon the answer provided by @Gertjan. Packages for pfSense are compiled against a specific FreeBSD kernel version. And because FreeBSD is the underlying operating system for pfSense, that ties the version of pfSense to a specific branch of FreeBSD. So, in turn, packages are also tied to a specific FreeBSD version branch. You can't install a package compiled on and for FreeBSD 12 on a FreeBSD 11 kernel (and vice-versa). Doing so will break things due to the different versions of shared libraries.

So the version of pfSense installed on your firewall determines which "branch" of the pfSense packages repository your firewall looks at to see if new package versions are available. So if your firewall is not running the most recent version of pfSense, you won't necessarily see the most recent version of the packages listed. But there are some exceptions to that, especially when a new pfSense version is posted.

To prevent breaking things, never upgrade or install a new package when a pfSense update is showing (for example, when the Dashboard check shows a newer version of pfSense is available). Always update pfSense to the most current version before installing or upgrading any packages.