Log/cap retention
685 views
Skip to first unread message
Kostas Athanasiou
Sep 1, 2014, 5:24:45 AM9/1/14
to securit...@googlegroups.com
During install i selected the retention time for logs etc. The requirement is to keep the log for 180 days but we do not need to keep pcaps for more than a day. Is there a config file that I can edit to allow retention for server logs on elsa for 180 days but delete pcaps/network capture data after a day?
Is there a reason why that should not be done?
Doug Burks
Sep 1, 2014, 1:53:30 PM9/1/14
to securit...@googlegroups.com
Hi Kostas,
The size of your pcap archive is determined by the CRIT_DISK_USAGE
setting in /etc/nsm/securityonion.conf.
The size of your ELSA archive is determined by the log_size_limit
setting in /etc/elsa_node.conf.
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
The size of your pcap archive is determined by the CRIT_DISK_USAGE
setting in /etc/nsm/securityonion.conf.
The size of your ELSA archive is determined by the log_size_limit
setting in /etc/elsa_node.conf.
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Kostas Athanasiou
Sep 2, 2014, 4:51:20 AM9/2/14
to securit...@googlegroups.com
Hi Doug,
Thanks for that. My question is relating to days. i.e. currently my DAYSTOKEEP=181
Is it possible to keep ELSA logs for 181 days but delete pcap files after 1 day?
Doug Burks
Sep 2, 2014, 7:36:22 AM9/2/14
to securit...@googlegroups.com
Replies inline.
On Tue, Sep 2, 2014 at 4:51 AM, Kostas Athanasiou
<kostas.at...@gmail.com> wrote:
> Hi Doug,
>
> Thanks for that. My question is relating to days. i.e. currently my DAYSTOKEEP=181
DAYSTOKEEP relates to the Sguil database (securityonion_db) and has
nothing to do with ELSA logs or pcap files.
> Is it possible to keep ELSA logs for 181 days
Take a look at the following settings in /etc/elsa_node.conf (in
addition to the log_size_limit setting mentioned previously):
"Archive/days: Max number of days to retain logs for in the archive
Sphinx/days: Max number of days to retain logs for in the indexes"
https://code.google.com/p/enterprise-log-search-and-archive/wiki/Documentation#elsa_node.conf:
> but delete pcap files after 1 day?
To delete pcap files after 1 day, you could simply write a cron job
that would remove any old pcap directories.
On Tue, Sep 2, 2014 at 4:51 AM, Kostas Athanasiou
<kostas.at...@gmail.com> wrote:
> Hi Doug,
>
> Thanks for that. My question is relating to days. i.e. currently my DAYSTOKEEP=181
nothing to do with ELSA logs or pcap files.
> Is it possible to keep ELSA logs for 181 days
addition to the log_size_limit setting mentioned previously):
"Archive/days: Max number of days to retain logs for in the archive
Sphinx/days: Max number of days to retain logs for in the indexes"
https://code.google.com/p/enterprise-log-search-and-archive/wiki/Documentation#elsa_node.conf:
> but delete pcap files after 1 day?
that would remove any old pcap directories.
Reply all
Reply to author
Forward
0 new messages