46 |
46 |
$suricatalogdirsizeKB = suricata_Getdirsize(SURICATALOGDIR);
|
47 |
47 |
|
48 |
48 |
if ($suricatalogdirsizeKB > 0 && $suricatalogdirsizeKB > $suricataloglimitsizeKB) {
|
49 |
|
log_error(gettext("[Suricata] Log directory size exceeds configured limit of " . number_format($suricataloglimitsize) . " MB set on Global Settings tab. All Suricata log files will be truncated."));
|
|
49 |
log_error(gettext("[Suricata] Log directory size exceeds configured limit of " . number_format($suricataloglimitsize) . " MB set on Global Settings tab. Starting cleanup of suricata logs."));
|
50 |
50 |
conf_mount_rw();
|
51 |
51 |
|
52 |
|
// Truncate the Rules Update Log file if it exists
|
53 |
|
if (file_exists(SURICATA_RULES_UPD_LOGFILE)) {
|
54 |
|
log_error(gettext("[Suricata] Truncating the Rules Update Log file..."));
|
55 |
|
@file_put_contents(SURICATA_RULES_UPD_LOGFILE, "");
|
56 |
|
}
|
57 |
|
|
58 |
52 |
// Initialize an array of the log files we want to prune
|
59 |
53 |
$logs = array ( "alerts.log", "block.log", "dns.log", "eve.json", "http.log", "files-json.log", "sid_changes.log", "stats.log", "tls.log" );
|
60 |
54 |
|
61 |
|
// Clean-up the logs for each configured Suricata instance
|
|
55 |
// Clean-up the rotated logs for each configured Suricata instance
|
62 |
56 |
foreach ($config['installedpackages']['suricata']['rule'] as $value) {
|
63 |
57 |
$if_real = get_real_interface($value['interface']);
|
64 |
58 |
$suricata_uuid = $value['uuid'];
|
65 |
59 |
$suricata_log_dir = SURICATALOGDIR . "suricata_{$if_real}{$suricata_uuid}";
|
66 |
|
log_error(gettext("[Suricata] Truncating logs for {$value['descr']} ({$if_real})..."));
|
|
60 |
log_error(gettext("[Suricata] Cleaning logs for {$value['descr']} ({$if_real})..."));
|
67 |
61 |
suricata_post_delete_logs($suricata_uuid);
|
68 |
62 |
|
69 |
63 |
foreach ($logs as $file) {
|
|
64 |
// Cleanup any rotated logs
|
|
65 |
log_error(gettext("[Suricata] Deleting rotated log files except last for {$value['descr']} ({$if_real}) $file..."));
|
|
66 |
$filelist = glob("{$suricata_log_dir}/{$file}.*");
|
|
67 |
// Keep most recent file
|
|
68 |
unset($filelist[count($filelist) - 1]);
|
|
69 |
foreach ($filelist as $file) {
|
|
70 |
unlink_if_exists($file);
|
|
71 |
}
|
|
72 |
unset($filelist);
|
|
73 |
}
|
|
74 |
|
|
75 |
// Check for any captured stored files and clean them up
|
|
76 |
unlink_if_exists("{$suricata_log_dir}/files/*");
|
|
77 |
|
|
78 |
// Check for any captured stored TLS certs and clean them up
|
|
79 |
unlink_if_exists("{$suricata_log_dir}/certs/*");
|
|
80 |
}
|
|
81 |
|
|
82 |
if (suricata_Getdirsize(SURICATALOGDIR) < suricataloglimitsizeKB) {
|
|
83 |
goto cleanupExit;
|
|
84 |
}
|
|
85 |
|
|
86 |
// Cleanup any rotated logs not caught above
|
|
87 |
log_error(gettext("[Suricata] Deleting any additional rotated log files..."));
|
|
88 |
unlink_if_exists("{$suricata_log_dir}/suricata_*/*.log.*");
|
|
89 |
unlink_if_exists("{$suricata_log_dir}/suricata_*/*.json.*");
|
|
90 |
|
|
91 |
if (suricata_Getdirsize(SURICATALOGDIR) < suricataloglimitsizeKB) {
|
|
92 |
goto cleanupExit;
|
|
93 |
}
|
|
94 |
|
|
95 |
// Clean-up active logs for each configured Suricata instance
|
|
96 |
foreach ($config['installedpackages']['suricata']['rule'] as $value) {
|
|
97 |
$if_real = get_real_interface($value['interface']);
|
|
98 |
$suricata_uuid = $value['uuid'];
|
|
99 |
$suricata_log_dir = SURICATALOGDIR . "suricata_{$if_real}{$suricata_uuid}";
|
|
100 |
if (suricata_Getdirsize(SURICATALOGDIR) < suricataloglimitsizeKB) {
|
|
101 |
goto cleanupExit;
|
|
102 |
}
|
|
103 |
|
|
104 |
foreach ($logs as $file) {
|
70 |
105 |
// Truncate the log file if it exists
|
71 |
106 |
if (file_exists("{$suricata_log_dir}/{$file}")) {
|
72 |
107 |
try {
|
... | ... | |
75 |
110 |
log_error("[Suricata] Failed to truncate file '{$suricata_log_dir}/{$file}' -- error was {$e->getMessage()}");
|
76 |
111 |
}
|
77 |
112 |
}
|
78 |
|
}
|
79 |
|
|
80 |
|
// Cleanup any rotated logs
|
81 |
|
log_error(gettext("[Suricata] Deleting any rotated log files for {$value['descr']} ({$if_real})..."));
|
82 |
|
unlink_if_exists("{$suricata_log_dir}/*.log.*");
|
83 |
|
|
84 |
|
// Cleanup any rotated pcap logs
|
85 |
|
log_error(gettext("[Suricata] Deleting any rotated pcap log files for {$value['descr']} ({$if_real})..."));
|
86 |
|
unlink_if_exists("{$suricata_log_dir}/log.pcap.*");
|
87 |
113 |
|
88 |
|
// Check for any captured stored files and clean them up
|
89 |
|
unlink_if_exists("{$suricata_log_dir}/files/*");
|
|
114 |
if (suricata_Getdirsize(SURICATALOGDIR) < suricataloglimitsizeKB) {
|
|
115 |
goto cleanupExit;
|
|
116 |
}
|
|
117 |
}
|
90 |
118 |
|
91 |
|
// Check for any captured stored TLS certs and clean them up
|
92 |
|
unlink_if_exists("{$suricata_log_dir}/certs/*");
|
|
119 |
if (suricata_Getdirsize(SURICATALOGDIR) < suricataloglimitsizeKB) {
|
|
120 |
goto cleanupExit;
|
|
121 |
}
|
|
122 |
}
|
93 |
123 |
|
94 |
|
// This is needed if suricata is run as suricata user
|
95 |
|
mwexec('/bin/chmod 660 /var/log/suricata/*', true);
|
|
124 |
// Truncate the Rules Update Log file if it exists
|
|
125 |
if (file_exists(SURICATA_RULES_UPD_LOGFILE)) {
|
|
126 |
log_error(gettext("[Suricata] Truncating the Rules Update Log file..."));
|
|
127 |
@file_put_contents(SURICATA_RULES_UPD_LOGFILE, "");
|
96 |
128 |
}
|
|
129 |
|
|
130 |
cleanupExit:
|
|
131 |
// This is needed if suricata is run as suricata user
|
|
132 |
mwexec('/bin/chmod 660 /var/log/suricata/*', true);
|
97 |
133 |
conf_mount_ro();
|
98 |
134 |
log_error(gettext("[Suricata] Automatic clean-up of Suricata logs completed."));
|
99 |
135 |
}
|