Swap file full in 12 hours

[Michael Fort]

I just replaced your XFCE security onion (14.04) with your latest. I bought 2 500 GB drives and set them up as raid0. The DISKS program shows I have 1 GB of swap. I've never had an issue with swap in the past and raid0 should be much faster in disk read/write. I ran sysctl -a | grep dirty and have attached the output. Any suggestions? My computer is a rather old Core 2 Quad with 8 GB ram. I am using it in my home as standalone. I don't see how it can be overwhelmed since there are only short periods of high traffic but for some reason even when there is almost no traffic the swap continues to fill up. Any suggestions would be greatly appreciated.

[Wes Lambert]

Hi Michael,

I'm not sure why you would have an issue like you mentioned.  With Elastic, we recommend disabling swap anyway.

You could look at limiting the pipeline.workers for Logstash, as well as the heap size for Logstash in /etc/logstash/jvm.options, and for Elasticsearch in /etc/elasticsearch/jvm/options.  You could also consider disabling services you don't want/need in /etc/nsm/securityonion.conf, or by re-running setup.

Thanks,

Wes

On Fri, Jul 5, 2019 at 3:33 PM Michael Fort <cm0s...@gmail.com> wrote:

I just replaced your XFCE security onion (14.04) with your latest. I bought 2 500 GB drives and set them up as raid0. The DISKS program shows I have 1 GB of swap. I've never had an issue with swap in the past and raid0 should be much faster in disk read/write. I ran sysctl -a | grep dirty and have attached the output. Any suggestions? My computer is a rather old Core 2 Quad with 8 GB ram. I am using it in my home as standalone. I don't see how it can be overwhelmed since there are only short periods of high traffic but for some reason even when there is almost no traffic the swap continues to fill up. Any suggestions would be greatly appreciated.

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/e33a2f26-eb04-40a6-93e1-24b9f6c68c5b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

https://twitter.com/therealwlambert

https://securityonion.net/

[Michael Fort]

On Saturday, July 6, 2019 at 7:04:06 AM UTC-5, Wes wrote:
> Hi Michael,
>
>
> I'm not sure why you would have an issue like you mentioned.  With Elastic, we recommend disabling swap anyway.
>
>
> You could look at limiting the pipeline.workers for Logstash, as well as the heap size for Logstash in /etc/logstash/jvm.options, and for Elasticsearch in /etc/elasticsearch/jvm/options.  You could also consider disabling services you don't want/need in /etc/nsm/securityonion.conf, or by re-running setup.
>
>
> Thanks,
> Wes
>
>
> On Fri, Jul 5, 2019 at 3:33 PM Michael Fort <cm0s...@gmail.com> wrote:
> I just replaced your XFCE security onion (14.04) with your latest. I bought 2 500 GB drives and set them up as raid0. The DISKS program shows I have 1 GB of swap. I've never had an issue with swap in the past and raid0 should be much faster in disk read/write. I ran sysctl -a | grep dirty and have attached the output. Any suggestions? My computer is a rather old Core 2 Quad with 8 GB ram. I am using it in my home as standalone. I don't see how it can be overwhelmed since there are only short periods of high traffic but for some reason even when there is almost no traffic the swap continues to fill up. Any suggestions would be greatly appreciated.
>
>
>
> --
>
> Follow Security Onion on Twitter!
>
> https://twitter.com/securityonion
>
> ---
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
>

> To unsubscribe from this group and stop receiving emails from it, send an email to securit...@googlegroups.com.

>
> To post to this group, send email to securit...@googlegroups.com.
>
> Visit this group at https://groups.google.com/group/security-onion.
>
> To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/e33a2f26-eb04-40a6-93e1-24b9f6c68c5b%40googlegroups.com.
>
> For more options, visit https://groups.google.com/d/optout.
>
>
>
>
> --
>
>
> https://twitter.com/therealwlambert
>
> https://securityonion.net/

I found the issue. On the original install I went with the automatic setup and install. For some reason it did not format the raid0 correctly. On the second install I set it all up manually. It is working correctly now. Thanks for your reply.