[prev in list] [next in list] [prev in thread] [next in thread] 

List:       security-onion
Subject:    [security-onion] Increasing ELSA index beyond 2.1 billion logs
From:       Gary Faulkner <gfaulkner.nsm () gmail ! com>
Date:       2015-08-25 22:18:51
Message-ID: 55DCE9CB.1010606 () gmail ! com
[Download RAW message or body]

Hello,

I seem to be stuck with a maximum index size of around 2.1 billion logs 
across 2 load-balanced SO-ELSA nodes, which in my environment means an 
index of about 2 days at 40K EPS. I've tried un-commenting and setting 
the retention period manually to as high as 30 days, as well as 
increasing the amount of disk dedicated to ELSA, currently about 17TB 
dedicated to the data/nsm partition). Index is only using around 2TB and 
archive is around 2.4TB at present. I also have 128GB of RAM. I've 
restarted syslog-ng post changes as well as rebooted the box, but the 
changes don't seem to be increasing my index size. Are there some other 
settings I should be tweaking, or steps I am missing? Disk space doesn't 
seem to be the limiting factor at present.

Thanks,
Gary

-- 
You received this message because you are subscribed to the Google Groups \
"security-onion" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to security-onion+unsubscribe@googlegroups.com. To post to this \
group, send email to security-onion@googlegroups.com. Visit this group at \
http://groups.google.com/group/security-onion. For more options, visit \
https://groups.google.com/d/optout.


[prev in list] [next in list] [prev in thread] [next in thread]