Open michal25 opened 1 year ago
pevma
commented
1 year ago Can you please share the output of the max-files in the yaml settings you have setup ?
Also ls -lh of the pcap folder where they are stored if ok please?
You can also have a look at the log rotation settings here just in case - https://github.com/StamusNetworks/SELKS/wiki/Docker#log-rotation , by default it is daily.
Does it fill up too fast within 24hrs or just not rotating actually ?
michal25
commented
1 year ago - pcap-log:
enabled: yes
filename: log.%n.%t.pcap
#filename: log.pcap
# File size limit. Can be specified in kb, mb, gb. Just a number
# is parsed as bytes.
limit: 20mb
# If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit"
max-files: 8000
mode: multi # normal, multi or sguil.
# Directory to place pcap files. If not provided the default log
# directory will be used. Required for "sguil" mode.
dir: /var/log/suricata/fpc/ls -lh looks ok It looks as it fill up too fast within 24hrs.
pevma
commented
1 year ago ok so if it is filling up to fast maybe you can adjust the rotation to hourly as per the link above?
This configuration
Is not working on Ubuntu 22.04.2 LTS (GNU/Linux 5.15.0-72-generic x86_64) (not selks image, normal Ubuntu virtual OS).
Description root@suricata:~# docker exec suricata suricata --build-info This is Suricata version 7.0.0-rc2-dev (afef35b9d 2023-05-24) Features: NFQ PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HTTP2_DECOMPRESSION HAVE_LUA HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST SIMD support: SSE_4_2 SSE_4_1 SSE_3 Atomic intrinsics: 1 2 4 8 16 byte(s) 64-bits, Little-endian architecture GCC version 11.3.1 20221121 (Red Hat 11.3.1-4), C version 201112 compiled with _FORTIFY_SOURCE=0 L1 cache line size (CLS)=64 thread local storage method: _Thread_local compiled with LibHTP v0.5.43, linked against LibHTP v0.5.43
Suricata Configuration: AF_PACKET support: yes AF_XDP support: no DPDK support: yes eBPF support: yes XDP support: yes PF_RING support: no NFQueue support: yes NFLOG support: no IPFW support: no Netmap support: no DAG enabled: no Napatech enabled: no WinDivert enabled: no
Unix socket enabled: yes Detection enabled: yes
Libmagic support: yes libjansson support: yes hiredis support: yes hiredis async with libevent: yes PCRE jit: yes LUA support: yes libluajit: no GeoIP2 support: yes Non-bundled htp: no Hyperscan support: yes Libnet support: yes liblz4 support: yes Landlock support: yes
Rust support: yes Rust strict mode: no Rust compiler path: /usr/bin/rustc Rust compiler version: rustc 1.66.1 (90743e729 2023-01-10) (Red Hat 1.66.1-1.el9) Cargo path: /usr/bin/cargo Cargo version: cargo 1.66.1
Python support: yes Python path: /usr/bin/python3 Install suricatactl: yes Install suricatasc: yes Install suricata-update: yes
Profiling enabled: no Profiling locks enabled: no Profiling rules enabled: no
Plugin support (experimental): yes
Development settings: Coccinelle / spatch: no Unit tests enabled: no Debug output enabled: no Debug validation enabled: no Fuzz targets enabled: no
Generic build parameters: Installation prefix: /usr Configuration directory: /etc/suricata/ Log directory: /var/log/suricata/
--prefix /usr --sysconfdir /etc --localstatedir /var --datarootdir /usr/share
Host: x86_64-pc-linux-gnu Compiler: gcc (exec name) / g++ (real) GCC Protect enabled: no GCC march native enabled: no GCC Profile enabled: no Position Independent Executable enabled: no CFLAGS -g -O2 -fPIC -std=c11 -I/usr/include/dpdk -include rte_config.h -march=corei7 -I${srcdir}/../rust/gen -I${srcdir}/../rust/dist PCAP_CFLAGS
SECCFLAGS
Steps to reproduce the issue: