Used up all free space in Security Onion

[Cody Sapp]

After I did a system update last Friday (March 2, 2012), I no longer
have any free space in Security Onion. Is there anything I can do to
free up some space?

[Scott Runnels]

Cody, 

There should be a cron job running hourly to clean out old pcap and bro logs until there is at least 10% free space.  How much disc space does the machine have?  if you're monitoring a very active line you might be crossing the threshold from 90% to 100% very quickly.

v/r

Scott

--
Scott Runnels

[Cody Sapp]

Last I checked, 0 Bytes.  However, about 20 minutes ago, I ended my Security Onion session, and now I can't log back in.  Every time I do, my connection times out.  Here are the details it gives:

NX> 203 NXSSH running with pid: 16212

NX> 285 Enabling check on switch command

NX> 285 Enabling skip of SSH config files

NX> 285 Setting the preferred NX options

NX> 200 Connected to address: 172.16.129.28 on port: 22

NX> 202 Authenticating user: nx

NX> 208 Using auth method: publickey

HELLO NXSERVER - Version 3.2.0-74-SVN OS (GPL, using backend: 3.5.0)

NX> 105 hello NXCLIENT - Version 3.2.0

NX> 134 Accepted protocol: 3.2.0

NX> 105 SET SHELL_MODE SHELL

NX> 105 SET AUTH_MODE PASSWORD

NX> 105 login

NX> 101 User: winninguser

NX> 102 Password: 

NX> 103 Welcome to: winning user: winninguser

NX> 105 listsession --user="winninguser" --status="suspended,running" --geometry="3600x1080x24+render" --type="unix-application"

/usr/bin/nxserver: line 287: echo: write error: No space left on device

/usr/bin/nxserver: line 288: echo: write error: No space left on device

/usr/bin/nxserver: line 295: echo: write error: No space left on device

/usr/bin/nxserver: line 296: echo: write error: No space left on device

/usr/bin/nxserver: line 374: echo: write error: No space left on device

/usr/bin/nxserver: line 375: echo: write error: No space left on device

/usr/bin/nxserver: line 381: echo: write error: No space left on device

NX> 105 NX> 280 Exiting on signal: 15

Do just need to wait and try again later, or do I have a serious problem?

[Doug Burks]

Hi Cody,

Can you just SSH to the box without using NX?

Thanks,
Doug

--
Doug Burks
Security Onion | http://securityonion.blogspot.com
President, Greater Augusta ISSA | http://augusta.issa.org
SANS Augusta 6/11 - 6/16 | http://www.sans.org/augusta-2012-cs/

[Scott Runnels]

Hi Cody,

I should have been more clear.  How big is the disc installed on that box?

v/r

Scott

--
Scott Runnels

[Cody Sapp]

To Doug, I don't know if I can.  I haven't tried it.

To Scott, when you say box, do you mean how much virtual space was allocated to security onion, or do you mean how much space I have on my actual computer (or do you mean something else)

[santosjd]

Hi Cody

Please go to /nsm/sensor_data/ids-so-eth1/

cd /nsm/sensor_data/ids-so-eth1/
sudo du -sh /nsm/sensor_data/ids-so-eth1/

You can replace ids-s0-eth1 for the ethernet you are monitoring. You can see if a explicit day or network is fulling your disk space. Use du -sh

[Doug Burks]

Please try SSH. If you can't SSH, log into the physical box. We
can't help you any further until you're able to successfully execute
commands on the Security Onion box in question.

Thanks,
Doug

--

[Scott Runnels]

Cody,

What I'm looking for is the size of the hard disc ( or virtual hard disc ) that the machine uses.  for example, my primary securityonion sensor has 700GB of disc space allocated to it.  This means it has 700GB of space for the operating system, databases, pcap files, bro logs, etc. 

v/r

Scott

--
Scott Runnels

[santosjd]

remove the /nsm/sensor_data/ids-so-eth1/dailylogs at least the last day in your monitor data.

[Cody Sapp]

Okay...the only way I know how to get into security onion is by typing nxclient on my Konsole window and then just logging in.  I don't know of any other way to get into security onion

[Scott Runnels]

Hi Cody, 

If you're running Windows you can use Putty.  Just point it at the IP Address of your securityonion installation and you should be able to log in with your username and password.

You can also use ssh username@ipaddress in linux or osx terminals.

v/r

Scott

--
Scott Runnels

[santosjd]

Please remove space to free and after that you will have the enough space to open snorby or squert. But you have to erase some dailylogs in sensor_data. Please use ssh.

[Cody Sapp]

Okay, I was able to free up some space.  Thanks guys

[don m.]

For others who file this thread:

there is a directory called "/nsm/bro/spool/tmp" that has, as far as I can tell, a crash report or extract of some sort relating to sguil. I had a system that I build in the fall of 2016, and did an update about October, and then just let it sit and run. I ran out of disk, looked all around, and finally found this directory. All of the files were sguil for owner and group.

HTH,
Don M.