Project

General

Profile

Actions
Copy link

Bug #7756

closed

suricata suricata_check_dir_size_limit() needs to be improved

Added by Orion Poplawski almost 7 years ago. Updated over 6 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Suricata
Target version:
-
Start date:
08/04/2017
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
2.3.4_1
Affected Plus Version:
Affected Architecture:

Description

The cleanup process in suricata_check_dir_size_limit() is not very optimal. There are a couple issues:

- It immediately truncates active logs - including alerts, and cleans up as much as it can rather than as little as it needs to. It should start by first removing some amount of rotated logs, and stop when enough space is cleared.
- It assumes rotated logs are of the form "*.log.*" - this isn't true for eve.json - and is generally the largest culprit
- log.pcap.* is processed there and in suricata_post_delete_logs()

The attached patch attempts to fix this. It first cleans up rotated logs, then stops if it has cleaned up enough. It then goes on to clean more in stages.

Files

suricata_check_cron_misc.inc.patch (5.01 KB) suricata_check_cron_misc.inc.patch Initial patch Orion Poplawski, 08/04/2017 11:16 AM
Actions
Copy link

Also available in: Atom PDF