[Oisf-users] suricata filling disk space

[Christophe Vandeplas]

Patel,

It will probably not be a satisfying answer, as it does not prevent your
disk to fill up, but I would do the following:
- configure logrotate to rotate and compress your logs when a certain
filesize is reached.  This will allow you to store up to 10 times the
volume of logs thanks to the compression.
- configure your monitoring tool to alert you when your disk reaches 70 or
80% of usage. In combination with the logrotate you might even get multiple
alerts as you will probably reach that point multiple times before
logrotate kicks in and gives you extra storage again. In any case
monitoring important systems are crucial, so if you're not yet monitoring
it, please do. !!

- worst-case you can configure logrotate to remove old logfiles after X
entries. However I prefer to remove them upon age to prevent loosing
important info.

This way you keep your logs, which might be interesting for further
investigation, but you also limit and controm further damage.

Kind regards
Christophe


On 3 December 2015 at 05:35, Satish Patel <satish.txt at gmail.com> wrote:

> Hello,
>
> I am running suricata-2.0.9 but suddenly yesterday we got DDoS and i found
> with in 10 min suricata fill 10G disk space in /var/log.  many many
> unitifed alert files.
>
> How do i optimize configuration to not fill disk and reduce logging if
> there is a DDoS.
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona:
> http://oisfevents.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151203/132f7160/attachment-0002.html>