How to delete all events (historic)?

[Manuel Gomez]

Hi!

I´ve been playing with Security Onion (it´s amazing!) , and had a lot of info.

I´m ready to deploy the box, it´s possible to delete all old events? (like new)

Regards,

[Heine Lysemose]

Hi

The easiest way to clear all events is to rerun sosetup.

Regards,
Lysemose

--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/groups/opt_out.

[Алексей Винчаков]

пятница, 6 сентября 2013 г., 23:14:17 UTC+6 пользователь Manuel Gomez написал:

Hello, I too suffered with such question. I found this article:
https://es.oteric.info/articles/how-to-clean-up-unwanted-snorby-events-by-signature-name

It is an example for snorby in principle.I usually did so:
#nsm_sensor_ps-stop
#nsm_server_ps-stop
#cd /usr/local/share/snorby
#sudo RAILS_ENV=production bundle exec rails c
irb(main):001:0> Snorby::Worker.stop
=> "delayed_job: trying to stop process with pid 22277...\ndelayed_job: process with pid 22277 successfully stopped.\n"
irb(main):002:0> Snorby::Jobs.clear_cache(true)
=> true
irb(main):003:0> exit
#mysql
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| msf3 |
| mysql |
| securityonion_db |
| snorby |
+--------------------+
5 rows in set (0.02 sec)
mysql> use snorby;
mysql> show tables;
+-------------------+
| Tables_in_snorby |
+-------------------+
| aggregated_events |
| caches |
| classifications |
| daily_caches |
| data |
| delayed_jobs |
| detail |
| encoding |
| event |
| events_with_join |
| favorites |
| icmphdr |
| iphdr |
| lookups |
| notes |
| notifications |
| opt |
| reference |
| reference_system |
| schema |
| search |
| sensor |
| settings |
| severities |
| sig_class |
| sig_reference |
| signature |
| tcphdr |
| udphdr |
| users |
+-------------------+
30 rows in set (0.00 sec)
mysql> TRUNCATE snorby.delayed_jobs;
mysql> SELECT e.sid, e.signature, s.sig_name, count(s.sig_name) as sig_counts FROM snorby.event e JOIN snorby.signature s ON e.signature = s.sig_id GROUP BY s.sig_name ORDER BY sig_counts DESC;
mysql> DELETE so FROM snorby.opt so INNER JOIN snorby.data sd ON sd.cid = so.cid INNER JOIN snorby.event se ON se.cid=sd.cid INNER JOIN snorby.iphdr si ON si.cid=sd.cid INNER JOIN snorby.signature ss ON ss.sig_id = se.signature INNER JOIN snorby.tcphdr st ON st.cid = sd.cid WHERE (ss.sig_name = "stream5: TCP Timestamp is missing") AND (so.optid = 0 OR so.optid = 1 OR so.optid = 2);
mysql> DELETE FROM sd, se, si, ss, st USING snorby.data sd INNER JOIN snorby.event se INNER JOIN snorby.iphdr si INNER JOIN snorby.signature ss INNER JOIN snorby.tcphdr st WHERE sd.cid=se.cid AND se.signature=ss.sig_id AND se.cid=si.cid AND (ss.sig_name = "stream5: TCP Timestamp is missing") AND se.cid=st.cid;
mysql> DELETE FROM se, si, ss, st USING snorby.event se INNER JOIN snorby.iphdr si INNER JOIN snorby.signature ss INNER JOIN snorby.tcphdr st WHERE se.signature=ss.sig_id AND se.cid=si.cid AND (ss.sig_name = "stream5: TCP Timestamp is missing") AND se.cid=st.cid;
mysql>exit
#sudo RAILS_ENV=production bundle exec rails c
irb(main):001:0> Snorby::Jobs.clear_cache(true)
=> true
irb(main):001:0> Snorby::Jobs::SensorCacheJob.new(true).perform
irb(main):002:0> Snorby::Jobs::DailyCacheJob.new(true).perform
irb(main):003:0> Snorby::Worker.start
irb(main):004:0> exit
#nsm --all --start

[Doug Burks]

We don't recommend or support manual modification of the Snorby
database like this. Also keep in mind that those instructions only
pertain to the Snorby database and do not clear our other databases
(like Sguil's securityonion_db and ELSA's syslog databases).

As Lysemose mentioned, the easiest option is to re-run Setup.

Doug

> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/groups/opt_out.

--
Doug Burks
http://securityonion.blogspot.com

[jsm]

Hi everybody

Thank you to the developers on making such a great distro.

I am replying to an old thread as it is most relevant. I want to check that when I re-run sosetup are my modifications to 'snort.conf, 'disablesid.conf' and 'threshold.conf' replaced or should I just back them up and reapply them immediately?

*** Background *** I have built SO and have let it collect data and alert for about a week. I have made changes (Tuning - for HOME_NET and disabled SID's etc) and want to clear all the Snorby events. We are using Snorby predominantly and are not worried about the Sguil database etc.

Regards

J

[Doug Burks]

Hi jsm,

Re-running sosetup will wipe any NSM data/config, so you should backup
any config files you've modified.

http://securityonion.net

[Brian Kramer]

Hi Doug / et all,

Sorry about jumping on such an old post. But I've recently installed SO, and have been wondering about this very topic. Are events archived, and/or automatically purged after a certain size, or period of time?

Thanks!
Brian

[Doug Burks]

Hi Brian,

Replies inline.

On Sun, Jan 4, 2015 at 5:24 PM, Brian Kramer <bk6...@gmail.com> wrote:
> Hi Doug / et all,
>
> Sorry about jumping on such an old post.

https://code.google.com/p/security-onion/wiki/MailingLists#Start_a_new_thread_instead_of_replying_to_an_old_one

> But I've recently installed SO, and have been wondering about this very topic. Are events archived, and/or automatically purged after a certain size, or period of time?

The Snorby database has a "Prune database" setting available under
Administration - General Settings.

The Sguil database has a DAYSTOKEEP value specified in
/etc/nsm/securityonion.conf.

The ELSA database is controlled by the log_size_limit value specified
in /etc/elsa_node.conf.

Pcaps and other raw logs on disk are automatically purged by the
/etc/cron.d/sensor-clean cron job that runs every minute. If disk
usage is above the CRIT_DISK_USAGE threshold specified in
/etc/nsm/securityonion.conf, then it will delete the oldest day's
worth of pcaps/logs and continue doing so until the disk is within the
threshold.



--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com

[Jim Litchford]

Hello,

I have no clue how to delete logs. I have an issue where I need to delete some logs. I need to delete all logs between say, yesterday at 1500 to this morning at 0900, but keep all logs before and after this time.

I can not rerun setup for this has been disabled in this situation. Any help would be appreciated.

[Wes]

Jim,

Please start a new thread instead of responding to an old one.

https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists#start-a-new-thread-instead-of-replying-to-an-old-one

Thanks,
Wes