[prev in list] [next in list] [prev in thread] [next in thread]
List: security-onion
Subject: Re: [security-onion] sensor log retention
From: Bryan DENISE <bryan.denise51 () gmail ! com>
Date: 2019-11-28 17:37:04
Message-ID: dbb267e3-81ba-46d8-a4d9-c6dcc120ec32 () googlegroups ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
All is ok... for the moment
Thanks
Le jeudi 28 novembre 2019 16:14:32 UTC, Bryan DENISE a écrit :
>
> Hello,
>
> Thank you for the link. But if I understand, there is actually not really
> a solution yet?
> So, I resize the disk from 300Go to 800Go and for the moment logs are not
> purged yet but i still have problems:
> In pcap log, it seems to search for a log with an"old" number and doesn't
> find it. I've try to set my computer clock on UTC but always same problem.
>
> Thanks
> Regards
>
> Le mercredi 27 novembre 2019 21:04:59 UTC, Wes a écrit :
> >
> > I think I understand what you are saying now -- we have an open issue for
> > this:
> >
> > https://github.com/Security-Onion-Solutions/security-onion/issues/1484
> >
> > Thanks,
> > Wes
> >
> >
> > On Wed, Nov 27, 2019 at 10:23 AM Bryan DENISE <bryan....@gmail.com>
> > wrote:
> >
> > > Hello Wes,
> > >
> > > Thanks for your answer. I can increase the disk space but the problem
> > > going to happend again, one sensor will keep 2-3 days and three others will
> > > clean its log immediatly because, the first sensor logs will consume all
> > > space...? no?
> > >
> > > thanks
> > >
> > > Le mercredi 27 novembre 2019 12:45:37 UTC, Wes a écrit :
> > > >
> > > > Your retention is going to be based off of available disk space. If
> > > > you don't have the space, you won't be able to retain for long. Another
> > > > option would be to filter traffic with BPF or something similar, to weed
> > > > out unwanted traffic, allowing you to store data for longer.
> > > >
> > > > Thanks,
> > > > Wes
> > > >
> > > > On Tue, Nov 26, 2019 at 12:19 PM Bryan DENISE <bryan....@gmail.com>
> > > > wrote:
> > > >
> > > > > Hello,
> > > > >
> > > > > I have a SO standalone server with 4 sensors. When i try to see the
> > > > > pcap of an event , I always have "ERROR: No data was returned. Check
> > > > > pcap_agent"
> > > > > When i look at pcap agent log, I see it doesn't find the file in the
> > > > > folder for the requested time event. This is normal because 3 of 4 sensors
> > > > > only keep the log files in dailylog no more than one minute. Only one
> > > > > sensor keep many files covering one or more days.
> > > > > How can I adjust time retention for each sensor please?
> > > > >
> > > > > Thanks
> > > > > regards
> > > > >
> > > > > --
> > > > > Follow Security Onion on Twitter!
> > > > > https://twitter.com/securityonion
> > > > > ---
> > > > > You received this message because you are subscribed to the Google
> > > > > Groups "security-onion" group.
> > > > > To unsubscribe from this group and stop receiving emails from it, send
> > > > > an email to securit...@googlegroups.com.
> > > > > To view this discussion on the web visit
> > > > > https://groups.google.com/d/msgid/security-onion/e00b9ff3-e008-4a31-850d-d26488e3047f%40googlegroups.com \
> > > > > <https://groups.google.com/d/msgid/security-onion/e00b9ff3-e008-4a31-850d-d26488e3047f%40googlegroups.com?utm_medium=email&utm_source=footer>
> > > > >
> > > > > .
> > > > >
> > > >
> > > >
> > > > --
> > > > https://twitter.com/therealwlambert
> > > > https://securityonion.net/
> > > >
> > > --
> > > Follow Security Onion on Twitter!
> > > https://twitter.com/securityonion
> > > ---
> > > You received this message because you are subscribed to the Google
> > > Groups "security-onion" group.
> > > To unsubscribe from this group and stop receiving emails from it, send
> > > an email to securit...@googlegroups.com.
> > > To view this discussion on the web visit
> > > https://groups.google.com/d/msgid/security-onion/78ccfb6c-c0bb-4e10-974a-b79b4aecd607%40googlegroups.com \
> > > <https://groups.google.com/d/msgid/security-onion/78ccfb6c-c0bb-4e10-974a-b79b4aecd607%40googlegroups.com?utm_medium=email&utm_source=footer>
> > >
> > > .
> > >
> >
> >
> > --
> > https://twitter.com/therealwlambert
> > https://securityonion.net/
> >
>
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups \
"security-onion" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to security-onion+unsubscribe@googlegroups.com. To view this \
discussion on the web visit \
https://groups.google.com/d/msgid/security-onion/dbb267e3-81ba-46d8-a4d9-c6dcc120ec32%40googlegroups.com.
[Attachment #5 (text/html)]
<div dir="ltr">All is ok... for the moment<br><br>Thanks<div><br>Le jeudi 28 novembre \
2019 16:14:32 UTC, Bryan DENISE a écrit :<blockquote class="gmail_quote" \
style="margin: 0;margin-left: 0.8ex;border-left: 1px #ccc solid;padding-left: \
1ex;"><div dir="ltr">Hello,<div><br></div><div>Thank you for the link. But if I \
understand, there is actually not really a solution yet?</div><div>So, I resize the \
disk from 300Go to 800Go and for the moment logs are not purged yet but i still have \
problems:</div><div>In pcap log, it seems to search for a log with an"old" \
number and doesn't find it. I've try to set my computer clock on UTC but \
always same problem.</div><div><br></div><div>Thanks</div><div>Regards<br><br>Le \
mercredi 27 novembre 2019 21:04:59 UTC, Wes a écrit :<blockquote \
class="gmail_quote" style="margin:0;margin-left:0.8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr">I think I understand what you are saying now \
-- we have an open issue for this:<div><br></div><div><a \
href="https://github.com/Security-Onion-Solutions/security-onion/issues/1484" \
rel="nofollow" target="_blank" \
onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2 \
FSecurity-Onion-Solutions%2Fsecurity-onion%2Fissues%2F1484\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHf7pNRjhl0Wb6jJYzXai6LiB6DyA';return \
true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.co \
m%2FSecurity-Onion-Solutions%2Fsecurity-onion%2Fissues%2F1484\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHf7pNRjhl0Wb6jJYzXai6LiB6DyA';return \
true;">https://github.com/Security-<wbr>Onion-Solutions/security-<wbr>onion/issues/1484</a> \
</div><div><br></div><div>Thanks,</div><div>Wes \
<br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr">On Wed, \
Nov 27, 2019 at 10:23 AM Bryan DENISE <<a \
rel="nofollow">bryan....@gmail.com</a>> wrote:<br></div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hello \
Wes,<div><br></div><div>Thanks for your answer. I can increase the disk space but the \
problem going to happend again, one sensor will keep 2-3 days and three others will \
clean its log immediatly because, the first sensor logs will consume all space...? \
no?</div><div><br></div><div>thanks<br><br>Le mercredi 27 novembre 2019 12:45:37 UTC, \
Wes a écrit :<blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Your \
retention is going to be based off of available disk space. If you don't have \
the space, you won't be able to retain for long. Another option would be to \
filter traffic with BPF or something similar, to weed out unwanted traffic, allowing \
you to store data for \
longer.<div><br></div><div>Thanks,</div><div>Wes</div></div><br><div \
class="gmail_quote"><div dir="ltr">On Tue, Nov 26, 2019 at 12:19 PM Bryan DENISE \
<<a rel="nofollow">bryan....@gmail.com</a>> wrote:<br></div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hello,<div><br></div><div>I have a \
SO standalone server with 4 sensors. When i try to see the pcap of an event , I \
always have "<span \
style="background-color:rgb(249,237,190);color:rgb(0,0,0);font-family:tahoma,verdana,helvetica,arial;font-size:12px;text-align:center">ERROR: \
No data was returned. Check pcap_agent"</span></div><div><span \
style="background-color:rgb(249,237,190);color:rgb(0,0,0);font-family:tahoma,verdana,helvetica,arial;font-size:12px;text-align:center">When \
i look at pcap agent log, I see it doesn't find the file in the folder for the \
requested time event. This is normal because 3 of 4 sensors only keep the log files \
in dailylog no more than one minute. Only one sensor keep many files covering one or \
more days.</span></div><div><span \
style="background-color:rgb(249,237,190);color:rgb(0,0,0);font-family:tahoma,verdana,helvetica,arial;font-size:12px;text-align:center">How \
can I adjust time retention for each sensor please?</span></div><div><span \
style="background-color:rgb(249,237,190);color:rgb(0,0,0);font-family:tahoma,verdana,helvetica,arial;font-size:12px;text-align:center"><br></span></div><div><span \
style="background-color:rgb(249,237,190);color:rgb(0,0,0);font-family:tahoma,verdana,helvetica,arial;font-size:12px;text-align:center">Thanks \
</span></div><div><span \
style="background-color:rgb(249,237,190);color:rgb(0,0,0);font-family:tahoma,verdana,helvetica,arial;font-size:12px;text-align:center">regards</span></div></div>
<p></p>
-- <br>
Follow Security Onion on Twitter!<br>
<a href="https://twitter.com/securityonion" rel="nofollow" target="_blank" \
onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Ftwitter.com% \
2Fsecurityonion\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHNMnY1vK-8tlz3CaZH4C4o8Ee15A';return \
true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Ftwitter.c \
om%2Fsecurityonion\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHNMnY1vK-8tlz3CaZH4C4o8Ee15A';return \
true;">https://twitter.com/<wbr>securityonion</a><br>
--- <br>
You received this message because you are subscribed to the Google Groups \
"security-onion" group.<br> To unsubscribe from this group and stop \
receiving emails from it, send an email to <a \
rel="nofollow">securit...@googlegroups.com</a>.<br> To view this discussion on the \
web visit <a href="https://groups.google.com/d/msgid/security-onion/e00b9ff3-e008-4a31-850d-d26488e3047f%40googlegroups.com?utm_medium=email&utm_source=footer" \
rel="nofollow" target="_blank" \
onmousedown="this.href='https://groups.google.com/d/msgid/security-onion/e00b9ff3- \
e008-4a31-850d-d26488e3047f%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter';return \
true;" onclick="this.href='https://groups.google.com/d/msgid/security-onion/e00b9f \
f3-e008-4a31-850d-d26488e3047f%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter';return \
true;">https://groups.google.com/d/<wbr>msgid/security-onion/e00b9ff3-<wbr>e008-4a31-850d-d26488e3047f%<wbr>40googlegroups.com</a>.<br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr"><div \
dir="ltr"><span style="font-size:12.8px"><a \
href="https://twitter.com/therealwlambert" rel="nofollow" target="_blank" \
onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Ftwitter.com% \
2Ftherealwlambert\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNG666idtkwCwosS-4tj5dxuJeM23w';return \
true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Ftwitter.c \
om%2Ftherealwlambert\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNG666idtkwCwosS-4tj5dxuJeM23w';return \
true;">https://twitter.com/<wbr>therealwlambert</a></span><br><div><span \
style="font-size:12.8px"><a href="https://securityonion.net/" rel="nofollow" \
target="_blank" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2 \
F%2Fsecurityonion.net%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNE0UObFk4OS_ixLUv1QwQVilxwkHA';return \
true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fsecurityo \
nion.net%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNE0UObFk4OS_ixLUv1QwQVilxwkHA';return \
true;">https://securityonion.net/</a></span><br></div></div></div> \
</blockquote></div></div>
<p></p>
-- <br>
Follow Security Onion on Twitter!<br>
<a href="https://twitter.com/securityonion" rel="nofollow" target="_blank" \
onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Ftwitter.com% \
2Fsecurityonion\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHNMnY1vK-8tlz3CaZH4C4o8Ee15A';return \
true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Ftwitter.c \
om%2Fsecurityonion\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHNMnY1vK-8tlz3CaZH4C4o8Ee15A';return \
true;">https://twitter.com/<wbr>securityonion</a><br>
--- <br>
You received this message because you are subscribed to the Google Groups \
"security-onion" group.<br> To unsubscribe from this group and stop \
receiving emails from it, send an email to <a \
rel="nofollow">securit...@googlegroups.com</a>.<br> To view this discussion on the \
web visit <a href="https://groups.google.com/d/msgid/security-onion/78ccfb6c-c0bb-4e10-974a-b79b4aecd607%40googlegroups.com?utm_medium=email&utm_source=footer" \
rel="nofollow" target="_blank" \
onmousedown="this.href='https://groups.google.com/d/msgid/security-onion/78ccfb6c- \
c0bb-4e10-974a-b79b4aecd607%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter';return \
true;" onclick="this.href='https://groups.google.com/d/msgid/security-onion/78ccfb \
6c-c0bb-4e10-974a-b79b4aecd607%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter';return \
true;">https://groups.google.com/d/<wbr>msgid/security-onion/78ccfb6c-<wbr>c0bb-4e10-974a-b79b4aecd607%<wbr>40googlegroups.com</a>.<br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr"><div \
dir="ltr"><span style="font-size:12.8px"><a \
href="https://twitter.com/therealwlambert" rel="nofollow" target="_blank" \
onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Ftwitter.com% \
2Ftherealwlambert\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNG666idtkwCwosS-4tj5dxuJeM23w';return \
true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Ftwitter.c \
om%2Ftherealwlambert\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNG666idtkwCwosS-4tj5dxuJeM23w';return \
true;">https://twitter.com/<wbr>therealwlambert</a></span><br><div><span \
style="font-size:12.8px"><a href="https://securityonion.net/" rel="nofollow" \
target="_blank" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2 \
F%2Fsecurityonion.net%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNE0UObFk4OS_ixLUv1QwQVilxwkHA';return \
true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fsecurityo \
nion.net%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNE0UObFk4OS_ixLUv1QwQVilxwkHA';return \
true;">https://securityonion.net/</a></span><br></div></div></div> \
</blockquote></div></div></blockquote></div></div>
<p></p>
-- <br />
Follow Security Onion on Twitter!<br />
<a href="https://twitter.com/securityonion">https://twitter.com/securityonion</a><br \
/>
--- <br />
You received this message because you are subscribed to the Google Groups \
"security-onion" group.<br /> To unsubscribe from this group and stop \
receiving emails from it, send an email to <a \
href="mailto:security-onion+unsubscribe@googlegroups.com">security-onion+unsubscribe@googlegroups.com</a>.<br \
/> To view this discussion on the web visit <a \
href="https://groups.google.com/d/msgid/security-onion/dbb267e3-81ba-46d8-a4d9-c6dcc12 \
0ec32%40googlegroups.com?utm_medium=email&utm_source=footer">https://groups.google.com \
/d/msgid/security-onion/dbb267e3-81ba-46d8-a4d9-c6dcc120ec32%40googlegroups.com</a>.<br \
/>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic