Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Unified2 filling up HDD

From: wkitty42 () windstream net
Date: Mon, 15 Feb 2016 19:33:49 -0500
On 02/15/2016 05:56 PM, Matthew White wrote:

The unified2 logs are filling up the HDD to the point there is no more space
and I had to manually delete them just to start Snort again.

Any idea where to start?


what do you mean "where to start?"??? if you are using barnyard2 or some other 
tool to import them into a database, then it should be a simple matter of 
archiving the old ones that have already been processed...

a new one should be created each time that snort is (re)started... one possible 
avenue of travel might be to archive those that exist and then restart snort... 
determining if barnyard2 or another tool is processing that last u2 file before 
it gets archived is another matter...

if BY2 and other tools process the u2 files on any change (eg: a tight loop 
looking for a change) then rotating those u2 files as if they are any other log 
file should be OK... there is the possibility that some data may be missed in 
the second or two that it takes for the processing and log rotating but it 
should not be enough to cause any problems...

archiving and removing old log files should not be a problem... depending on 
one's needs, the time to retain the originals may be depicted by corporate (and 
gov't) policies... some require a retention period of 12 months... others for 
longer... they don't, AFAIK, state that the logs must be maintained on the 
originating machine... in those cases, moving them to some sort of archival 
server would seem to be a GoodThing<tm>... personally speaking, i would not 
consider to store them in any cloud thing unless that cloud is *completely* 
under the control of the entity owning those logs...

-- 
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: