<div dir="ltr"><div><div>Hi,<br><br></div>I setup suricata 2.0.6 on a Gentoo Linux box and let it report into Prelude.<br><br>  # alert output to prelude (<a href="http://www.prelude-technologies.com/">http://www.prelude-technologies.com/</a>) only<br>  # available if Suricata has been compiled with --enable-prelude<br>  - alert-prelude:<br>      enabled: yes<br>      profile: suricata<br>      log-packet-content: yes<br>      log-packet-header: yes<br><br>This requires the compilation opts:<br></div><div><br>./configure --sysconfdir=/etc/ --localstatedir=/var/ -disable-gccmarch-native --enable-gccprotect --prefix=/usr --enable-unix-socket --enable-luajit --with-libcap_ng-libraries=/usr/local/lib --with-libcap_ng-includes=/usr/local/include --enable-gccmarch-native<br><br>--enable-prelude <br><br></div><div>This depends on libprelude (1.2.5). <br></div><div><br>The file /usr/local/var/spool/prelude/suricata/global grows to 100% disk space once suricata runs for a while.<br><br></div><div>In fix this with cron (dirty):<br><br></div><div>rm -rf /usr/local/var/spool/prelude/suricata/global<br>kill -9 $(cat /var/run/suricata.pid)<br><br></div><div>Is there any config which would limit this?<br><br></div><div>Best,<br></div><div>Marius<br></div><div><br><br></div></div>