search

StamusNetworks / scirius

Scirius is a web application for Suricata ruleset management and threat hunting.
GNU General Public License v3.0
621 stars 148 forks source link

Moloch capture.log #187

Closed vspies closed 5 years ago

vspies commented 5 years ago

Hi,

I did a fresh SELKS install and everything seems to be wroking fine after "selks-first-time-setup_stamus". Btw. I configured FCP_RETAIN

But I have a problem with "/data/moloch/logs/capture.log". It is growing really fast with these entries:

http.c:369 moloch_http_curlm_check_multi_info(): 1/30 ASYNC 201 http://localhost:9200/dstats/dstat/idswgdeahl01-983-5 822/155 0ms 50ms

So I altered these settings in "/data/moloch/etc/config.ini" and switched

logESRequests = true logFileCreation = true

to 'false'

But when I restart moloch with that configuration, Moloch seems to stop working. Services are starting fine, but it does not capture packets.

Even when I do an "selks-db-logs-cleanup_stamus" nothing changes, in "/data/moloch/raw" a file with 0kb is created, but nothing else.

What is the problem here and how do I keep the capture.log from growing too big?

Best regrads

Volker

pevma commented 5 years ago

It is Suricata that does the packet capture. So you would need maybe to restart Suricata too?

What speed do you have the deployment with - out of curiosity?

Is there anything in the "/data/moloch/logs/capture.log” when you restart the Moloch service indicating a problem ?

Do all checks come back clean on running - selks-health check script ?

Thank you

-- Regards, Peter Manev

On 16 Aug 2019, at 12:32, vspies notifications@github.com wrote:

Hi,

I did a fresh SELKS install and everything seems to be wroking fine after "selks-first-time-setup_stamus". Btw. I configured FCP_RETAIN

But I have a problem with "/data/moloch/logs/capture.log". It is growing really fast with these entries:

http.c:369 moloch_http_curlm_check_multi_info(): 1/30 ASYNC 201 http://localhost:9200/dstats/dstat/idswgdeahl01-983-5 822/155 0ms 50ms

So I altered these settings in "/data/moloch/etc/config.ini" and switched

DEBUG - Write to stdout elastic search requests

logESRequests = true

DEBUG - Write to stdout file creation information

logFileCreation = true

to 'false'

But when I restart moloch with that configuration, Moloch seems to stop working. Services are starting fine, but it does not capture packets.

Even when I do an "selks-db-logs-cleanup_stamus" nothing changes, in "/data/moloch/raw" a file with 0kb is created, but nothing else.

What is the problem here and how do I keep the capture.log from growing too big?

Best regrads

Volker

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

vspies commented 5 years ago

Ok, did a fresh install, first time setup and altered the moloch config ini.

After a moloch service restart, everything is working as expected and the debug log messages about Moloch - Elasticsearch communication are gone.

I don't know what I did different to the first time, but it's working know...

Thanks for the reply.

Best regrads.