Security Onion in training lab - How to avoid disk filling up?
chuck
Prior to setting up the sensor array for the lab, I tested the current build of Security Onion, 12.04.4, to see how it handles the disks filling up. I ran tcpreplay -i eth1 -m 1000 against a large collection of pcap I have. The SO test system's disk quickly filled up, and at the 50% clean up mark, the sensor-clean.log repeatedly said that no files were available to clean up. The system ultimately filled up to 100%, all the while logging that no files were available for cleanup.
I had thought this was fixed and SO would recursively "trim" files to maintain 90%, or the different specified setting from Setup.
What I need to be able to do:
Situation
I have two different training labs. I need to setup a separate Security Onion monitoring solution for each. I have so-called "dedicated" hardware consisting of a single Dell Poweredge 610 with dual quad processors, 48 GB RAM, 750G RAID 5 space. The Dell is running ESXi 5.5.
My original play was to setup 4 Security Onion VM's, one server and one sensor for each separate training lab. The reason for this was to allow some load-balancing and have the analyst remotely connect to the server via Sguil and such, but allowing the sensor to chug along and process the network traffic.
For the sake of maximizing the available disk space, I may need to only create two Sensor/Servers, one dedicated for each lab.
Any suggestions are greatly appreciated,
Chuck
Matt Gregory
The clean up script only removes data older than the current day. So, if you are artificially forcing the disk to reach the capacity at which the script would run in a single day, then no data will be removed. If that happens in a production environment, your options would be to either raise the disk usage threshold at which the script runs, add storage space, or reduce the amount of traffic the box is monitoring (e.g., enable BPFs to ignore certain traffic, reduce the number of interfaces, reduce amount of traffic mirrored, etc.).
--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
Doug Burks
Replies inline.
>
> Prior to setting up the sensor array for the lab, I tested the current build of Security Onion, 12.04.4, to see how it handles the disks filling up. I ran tcpreplay -i eth1 -m 1000 against a large collection of pcap I have. The SO test system's disk quickly filled up, and at the 50% clean up mark, the sensor-clean.log repeatedly said that no files were available to clean up. The system ultimately filled up to 100%, all the while logging that no files were available for cleanup.
>
> I had thought this was fixed and SO would recursively "trim" files to maintain 90%, or the different specified setting from Setup.
the current day.
> What I need to be able to do:
>
> Situation
> I have two different training labs. I need to setup a separate Security Onion monitoring solution for each. I have so-called "dedicated" hardware consisting of a single Dell Poweredge 610 with dual quad processors, 48 GB RAM, 750G RAID 5 space. The Dell is running ESXi 5.5.
>
> My original play was to setup 4 Security Onion VM's, one server and one sensor for each separate training lab. The reason for this was to allow some load-balancing and have the analyst remotely connect to the server via Sguil and such, but allowing the sensor to chug along and process the network traffic.
resources of the same host anyway.
> For the sake of maximizing the available disk space, I may need to only create two Sensor/Servers, one dedicated for each lab.
to a single Server/Sensor with multiple interfaces (if possible) so
that it can be given all of the disk space.
--
Doug Burks