Bro/zeek logs being deleted in /nsm directory

Cory Watson

unread,

Aug 17, 2020, 1:34:25 PM8/17/20

to security-onion

Hi,

I’m encountering some strange behavior with zeek in my onion instance. For some reason the zeek & bro directories in “/nsm” where the zeek logs should be stored seem to keep deleting the previous day’s zeek logs so I’m only getting 1 day of logs and I can’t find what is causing this to happen or where. From my understanding, the cronjob that deletes old logs is deleting the dailylogs and not supposed to be touching the zeek directory.

Thank you,

Cory

Wes Lambert

unread,

Aug 17, 2020, 3:46:09 PM8/17/20

to securit...@googlegroups.com

Hi Cory,

You may want to look at increasing your available storage of filtering your PCAP, as the sensor clean script(s) will indeed clean up Zeek logs, as well as PCAP.

Thanks,

Wes

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/56ccf46c-23a8-465d-a2f3-58908fdc5b56n%40googlegroups.com.

--

https://twitter.com/therealwlambert

https://securityonion.net/

Cory Watson

unread,

Aug 17, 2020, 7:56:19 PM8/17/20

to security-onion

Ok thanks Wes, I'll try increasing my disk size and see if that fixes my issue. Do I also need to increase the allocated storage in /etc/nsm/securityonion.conf file?

Thanks,
Cory

Reply all

Reply to author

Forward