If I set it so that pcaps only hang around for 30 days, the Sguil/ELSA/Bro data doesn't hold the network traffic just information about the alert?
I'm good with just setting CRIT_DISK_USAGE since Bro, ELSA, and Sguil data are stored on my server instance then?
I guess I'm asking if I should be writing a cron job to dump folders in dailylogs that are older than 30 days, or am i going to have difficulty with massaging CRIT_DISK_USAGE since i'm more concerned with the PCAPs?
So does that give the opportunity that setting CRIT_DISK_USAGE to a percentage such that log_size_limit is larger than which would prevent any pcaps lasting for more than a day?
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.