'Re: [security-onion] After Security Onion upgrade, problems with /opt/elsa/web/cron.pl processes bei'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       security-onion
Subject:    Re: [security-onion] After Security Onion upgrade, problems with /opt/elsa/web/cron.pl processes bei
From:       Doug Burks <doug.burks () gmail ! com>
Date:       2015-08-29 11:21:59
Message-ID: CAK8kjrA6_-RNUzMw8w6CWvqt8LnST94iR6XYG0WRixopDNPZBw () mail ! gmail ! com
[Download RAW message or body]

On Fri, Aug 28, 2015 at 3:34 AM, Magnus Wild <magnus@kalasarn.se> wrote:
> Status update. We have tried to purge the logs from the sensor like you suggested, \
> and it seems that it worked fine. No more batched queries and you get the expected \
> results within this 2 days period. 
> One thing i noticed though is that the disk is quickly filling up, and it seems \
> that ELSA is using up most of the space again. On the 20150826 after the purge we \
> had 42G used on the /nsm mountpoint. Now, two days later roughly we have 615G used, \
> which will mean that we will hit our 2 day index limit pretty soon. Is this really \
> the expected increase for two days worth of ~100Mbps traffic?

That's somewhat dependent on your exact mix of traffic.

Looking back at your sostat output from the sensor, it shows that
you're sniffing both eth1 and eth3.  How much traffic are each of
these interfaces seeing?

Your sostat output also shows that you have 3 Bro workers for each of
these sniffing interfaces.  You probably don't need 3 Bro workers for
just 100Mbps of traffic, so are you sure that's all the traffic
they're seeing?

Also, are you sending any other logs to ELSA?

Any syslog?

Any OSSEC agents?


-- 
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com

-- 
You received this message because you are subscribed to the Google Groups \
"security-onion" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to security-onion+unsubscribe@googlegroups.com. To post to this \
group, send email to security-onion@googlegroups.com. Visit this group at \
http://groups.google.com/group/security-onion. For more options, visit \
https://groups.google.com/d/optout.


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic