Re: [security-onion] how are logs rotated out of /var/log/nsm?
1,250 views
Skip to first unread message
Matt Gregory
Feb 6, 2013, 4:58:38 PM2/6/13
to securit...@googlegroups.com
There's an hourly cron job that will delete the oldest logs if the disk usage is at 90% or greater. It will delete enough to get the usage below 90%. However, if you are monitoring a lot of traffic, it's possible for the disk to completely fill up that last 10% before the next cron runs, so you must size your storage accordingly.
It's not recommended to delete old logs just for the sake of getting your disk usage down, as that defeats the purpose of full packet capture for network security monitoring, in that you want as much traffic as possible saved so that you can analyze it based on alerts or other indicators, and not be stuck with whatever few packets may have triggered a particular alert and which probably won't tell you much.
Matt
On Wed, Feb 6, 2013 at 4:13 PM, Clement Chen <plutoc...@gmail.com> wrote:
Hi,
I am wondering how logs are rotated out of /var/log/nsm. The size of the directory is more than 20GB in my setup. Is there any setting for the log rotation period?
Thanks.
Clement
--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
For more options, visit https://groups.google.com/groups/opt_out.
Doug Burks
Feb 6, 2013, 6:35:17 PM2/6/13
to securit...@googlegroups.com
/nsm contains NSM data output from processes (snort alerts, full
packet capture, etc.), but /var/log/nsm/ contains logs about the
processes (failure to start, operational data, etc.). The logs in
/var/log/nsm/ should get rotated daily and a maximum of 10 should be
kept. This is performed by the /etc/cron.d/sensor-newday cronjob
which ultimately calls the process_restart() function in
/usr/lib/nsmnow/lib-nsm-common-utils.
What is taking up the majority of that 20GB?
Thanks,
Doug
On Wed, Feb 6, 2013 at 5:26 PM, Clement Chen <plutoc...@gmail.com> wrote:
> Thanks. But I thought the hourly cron job is to delete old logs under /nsm, not /var/log/nsm.
>
> Not sure what the logs under /var/log/nsm are for.
--
Doug Burks
http://securityonion.blogspot.com
packet capture, etc.), but /var/log/nsm/ contains logs about the
processes (failure to start, operational data, etc.). The logs in
/var/log/nsm/ should get rotated daily and a maximum of 10 should be
kept. This is performed by the /etc/cron.d/sensor-newday cronjob
which ultimately calls the process_restart() function in
/usr/lib/nsmnow/lib-nsm-common-utils.
What is taking up the majority of that 20GB?
Thanks,
Doug
On Wed, Feb 6, 2013 at 5:26 PM, Clement Chen <plutoc...@gmail.com> wrote:
> Thanks. But I thought the hourly cron job is to delete old logs under /nsm, not /var/log/nsm.
>
> Not sure what the logs under /var/log/nsm are for.
Doug Burks
http://securityonion.blogspot.com
Doug Burks
Feb 6, 2013, 7:04:29 PM2/6/13
to securit...@googlegroups.com
You can try setting DEBUG to 0 in http_agent.conf.
Something else to consider is that, if you're running ELSA, you
already have access to the Bro http logs there, so you might want to
disable http_agent to stop sending them to Sguil.
Doug
On Wed, Feb 6, 2013 at 6:53 PM, Clement Chen <plutoc...@gmail.com> wrote:
> Thanks Doug. It is the http_agent logs that take up a lot of space (around 17 GB).
Something else to consider is that, if you're running ELSA, you
already have access to the Bro http logs there, so you might want to
disable http_agent to stop sending them to Sguil.
Doug
On Wed, Feb 6, 2013 at 6:53 PM, Clement Chen <plutoc...@gmail.com> wrote:
> Thanks Doug. It is the http_agent logs that take up a lot of space (around 17 GB).
Reply all
Reply to author
Forward
0 new messages