[Oisf-users] Unified2 logs exceeding max file size

Andreas Moe moe.andreas at gmail.com
Mon Nov 30 07:35:14 UTC 2015


The default limit for unified2 logs is 32MB[1], and i have not altered this
is any way. All (or, apparently not all) of my unified2 files are rotating
at this size. But under some situations / high load, with some filestore
signatures included, filesizes drasticly increase, and my resulting
snort.log contains a whole bunch of duplicates. I have checked other
systems and other logs, there are _not_ that many files and events
happening on the network that is beeing reported on. Maybe a few thousand
downloads, but many million log entries...

Using: Suricata 2.0.9, CentOS 7.1, Kernel 3.10.

333M 12:33 unified2.alert.1448796813
334M 12:33 unified2.alert.1448796814
334M 12:33 unified2.alert.1448796815
334M 12:33 unified2.alert.1448796816
300M 12:33 unified2.alert.1448796817
333M 12:33 unified2.alert.1448796818
300M 12:33 unified2.alert.1448796819
333M 12:33 unified2.alert.1448796820
300M 12:33 unified2.alert.1448796821
300M 12:33 unified2.alert.1448796822
300M 12:33 unified2.alert.1448796823
333M 12:33 unified2.alert.1448796824
267M 12:33 unified2.alert.1448796825
300M 12:33 unified2.alert.1448796826
300M 12:33 unified2.alert.1448796827
199M 12:33 unified2.alert.1448796828
33M 12:33 unified2.alert.1448796829
33M 12:34 unified2.alert.1448796837
33M 12:34 unified2.alert.1448796851
33M 12:34 unified2.alert.1448796862
33M 12:48 unified2.alert.1448796868
33M 12:48 unified2.alert.1448797708
33M 12:49 unified2.alert.1448797734
33M 13:35 unified2.alert.1448797749

[1]
https://github.com/inliniac/suricata/blob/dcbbda505f1abb55739333de0c6c347e30cb5797/src/alert-unified2-alert.c#L79
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151130/e0b9542d/attachment.html>


More information about the Oisf-users mailing list