Bug #7756
closedsuricata suricata_check_dir_size_limit() needs to be improved
0%
Description
The cleanup process in suricata_check_dir_size_limit() is not very optimal. There are a couple issues:
- It immediately truncates active logs - including alerts, and cleans up as much as it can rather than as little as it needs to. It should start by first removing some amount of rotated logs, and stop when enough space is cleared.
- It assumes rotated logs are of the form "*.log.*" - this isn't true for eve.json - and is generally the largest culprit
- log.pcap.* is processed there and in suricata_post_delete_logs()
The attached patch attempts to fix this. It first cleans up rotated logs, then stops if it has cleaned up enough. It then goes on to clean more in stages.
Files
Updated by Bill Meeks over 6 years ago
I'm the volunteer package maintainer for Suricata on pfSense. Thank you for providing a patch to go along with your bug report. The best way to submit your patch is to sign a Contributor License Agreement (CLA) on the pfSense web site (you can do it all electronically), and then submit your patch as a pull request here: https://github.com/pfsense/FreeBSD-ports. This is assuming you have a Github account. If not, or if you don't wish to bother with the CLA, I will include your patch in the next update I submit for Suricata. It's been a very long time since I've looked at the log cleanup code, and some changes were overdue.
Bill
Updated by Orion Poplawski over 6 years ago
Updated by Bill Meeks over 6 years ago
Thanks! Another user had also submitted a fix for the EVE JSON log rotation issue. I asked him about incorporating your patch into his before I saw your recent reply, but if you have submitted yours already via Github, that's great.
Bill
Updated by Bill Meeks over 6 years ago
This bug is fixed in GUI package version 4.0.0 using the code submitted by the OP.