File system full - manually clear logs?

1,621 views
Skip to first unread message

Kris Springer

unread,
Feb 1, 2017, 11:20:13 AM2/1/17
to security-onion
My SO file system grows to 99% and then daily around midnight it automatically purges something and drops down to 80%. I've researched this Google group and made some config edits based on past recommendations, but nothing seems to affect this drive space issue.

Full PCAP is disabled.
Edited elsa_node.conf "log_size_limit" with no noticeable effect.
Edited /etc/nsm/securityonion.conf limits with no noticeable effect.

How can I manually clear all logs? It seems that something's not working correctly regarding limiting drive usage to the configured percentages and days to keep. I don't even have a lot of traffic on our network, it just grows past the configured settings.

See attached sostat-redacted

sostat-redacted.txt

dan confused

unread,
Feb 1, 2017, 4:15:11 PM2/1/17
to security-onion
Are you recording flow data, urls, etc? In our deployment we were unknowingly recording in duplicate the flow data coming from network devices. Similar setup, no full-pcap, limiting days to keep, etc. Check to see what you're actually feeding it and if you can cut some fluff. You can run the setup script again; however, be careful you config in the same manor as the initial setup or you can break existing sensors (learned the hard way). The setup script will clear all NSM data. Manually, you can go in and delete selected days logs in:

/nsm/sensor_data/<interface>/<dailylog>
/nsm/elsa/data/elsa/log/node.log
/nsm/bro/logs/current

Someone please correct if I'm wrong but this has worked for me in the past.

~Dan

Kris Springer

unread,
Feb 1, 2017, 8:51:20 PM2/1/17
to security-onion
Thanks. My elsa/log/node.log file is about 6 Gigs per day. That seems to be the culprit. The other folders you mentioned were very small. I'll rerun the setup and see what I can figure out. This box is in production but I'm the only one who looks at it. I've become accustomed to the type of traffic that flows so I'll only enable a few things in the setup and see if it serves our purposes. Thanks again!

Kris Springer

unread,
Feb 15, 2017, 12:37:40 PM2/15/17
to security-onion
Thanks Dan. I dug in some more and had indeed enabled too much during the original setup and the system was duplicating efforts. Instead of re-running the setup I just turned off all the stuff I don't use. I'll let it run for a week or so and see what happens. If it's still acting fishy I'll re-run the setup to clear it out for sure.

For those interested I read the 'Best Practices' info found here
https://github.com/Security-Onion-Solutions/security-onion/wiki/Best-Practices
and then referenced the attached 'Architectural Diagram' to decide what I wanted/needed.

Security Onion - Architecture diagram.png
Reply all
Reply to author
Forward
0 new messages