How to delete all logs without using SO-Setup?

[id1010...@gmail.com]

I am looking for a quick method to delete all logs/alerts/Extracted files etc, without running SO-Setup. Is there a simple method for this already or is really a matter of going through and manually clearing them? And if so will simply deleting the contents of those directories solve the problem?

Thanks,
Jay

[id1010...@gmail.com]

Specifically I want to delete ELSA, Squil, and Squert Logs.
So this is mainly for analyst work using the front end, I'm not terribly worried about deleting the actual backend data.

[Wes Lambert]

Jay,

You could try using:

/usr/sbin/nsm_server_clear

and

/usr/sbin/nsm_sensor_clear

to achieve this.

However, these aren't frequently tested, so you may want to use these at your own risk.

Thanks,

Wes 

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

[id1010...@gmail.com]

On Wednesday, July 19, 2017 at 10:53:16 PM UTC-4, Wes wrote:
> Jay,
>
>
> You could try using:
>
>
> /usr/sbin/nsm_server_clear
> and
> /usr/sbin/nsm_sensor_clear
>
>
> to achieve this.
>
>
> However, these aren't frequently tested, so you may want to use these at your own risk.
>
>
> Thanks,
> Wes 
>
>
> On Wed, Jul 19, 2017 at 10:23 PM, <id1010...@gmail.com> wrote:
> On Wednesday, July 19, 2017 at 10:08:22 PM UTC-4, id1010...@gmail.com wrote:
>
> > I am looking for a quick method to delete all logs/alerts/Extracted files etc, without running SO-Setup. Is there a simple method for this already or is really a matter of going through and manually clearing them? And if so will simply deleting the contents of those directories solve the problem?
>
> >
>
> >
>
> > Thanks,
>
> > Jay
>
>
>
> Specifically I want to delete ELSA, Squil, and Squert Logs.
>
> So this is mainly for analyst work using the front end, I'm not terribly worried about deleting the actual backend data.
>
>
>
>
>
> --
>
> Follow Security Onion on Twitter!
>
> https://twitter.com/securityonion
>
> ---
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
>

> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
>
> To post to this group, send email to securit...@googlegroups.com.

>
> Visit this group at https://groups.google.com/group/security-onion.
>
> For more options, visit https://groups.google.com/d/optout.

I feel like this should be part of SecurityOnion, why isn't there a log clear script already created that is maintained? Is this a feature request we could ask for?

[wedgeshot]

I'd say if you know your configs... build an answer file and back up any rule changes you made. then run so-setup and point to an answer file to start over. That is essentially what you want right?

What will you lose if you run so-setup?

[id1010...@gmail.com]

> I'd say if you know your configs... build an answer file and back up any rule changes you made. then run so-setup and point to an answer file to start over. That is essentially what you want right?
>
> What will you lose if you run so-setup?

In my situation, I'm often using this software at many different locations. So a config file would need to be tailored for each location. It just seems odd that this isn't a built in capability.

[Doug Burks]

Hi id1010terror,

Have you tried Wes's suggestion of nsm_server_clear and
nsm_sensor_clear? The reason Wes included a warning was that these
scripts are not commonly used since the vast majority of our community
are deploying permanent production sensors and wouldn't ever want to
destroy all their data. So these scripts haven't been tested as much
as the rest of our scripts, but in theory they should work.

I just tested and they seemed to work for me. A couple of things to note:

- nsm_server_clear wipes the entire Sguil database and this includes
the user account that you use to log into Sguil/Squert/ELSA. You can
create a new account with nsm_server_user-add.

- nsm_server_clear and nsm_sensor_clear don't touch the ELSA database.
If you want to clear ELSA logs as well, you can additionally run
securityonion-elsa-reset.

In summary, if you want to clear all Sguil and ELSA data, you should
be able to do something like this:

sudo nsm_server_clear
sudo nsm_server_user-add
sudo nsm_sensor_clear
sudo securityonion-elsa-reset

Here's another option for you which may be quicker/easier depending on
your desired results:

# edit /etc/nsm/securityonion.conf and set DAYSTOKEEP to 0
# this will delete any data older than today
# if you have data from today, you could roll your OS date forward to tomorrow
sudo sguil-db-purge
# edit /etc/nsm/securityonion.conf and set DAYSTOKEEP back to its
default of 30 or whatever value you desire
sudo securityonion-elsa-reset

Hope that helps!

--
Doug Burks

[Doug Burks]

(Actually, you should be able to set DAYSTOKEEP to -1 and it should
delete all Sguil data including from today.)


--
Doug Burks