[Snort-users] Unified2 filling up HDD

wkitty42 at ...14940... wkitty42 at ...14940...
Mon Feb 15 19:33:49 EST 2016

On 02/15/2016 05:56 PM, Matthew White wrote:
> The unified2 logs are filling up the HDD to the point there is no more space
> and I had to manually delete them just to start Snort again.
> Any idea where to start?

what do you mean "where to start?"??? if you are using barnyard2 or some other 
tool to import them into a database, then it should be a simple matter of 
archiving the old ones that have already been processed...

a new one should be created each time that snort is (re)started... one possible 
avenue of travel might be to archive those that exist and then restart snort... 
determining if barnyard2 or another tool is processing that last u2 file before 
it gets archived is another matter...

if BY2 and other tools process the u2 files on any change (eg: a tight loop 
looking for a change) then rotating those u2 files as if they are any other log 
file should be OK... there is the possibility that some data may be missed in 
the second or two that it takes for the processing and log rotating but it 
should not be enough to cause any problems...

archiving and removing old log files should not be a problem... depending on 
one's needs, the time to retain the originals may be depicted by corporate (and 
gov't) policies... some require a retention period of 12 months... others for 
longer... they don't, AFAIK, state that the logs must be maintained on the 
originating machine... in those cases, moving them to some sort of archival 
server would seem to be a GoodThing<tm>... personally speaking, i would not 
consider to store them in any cloud thing unless that cloud is *completely* 
under the control of the entity owning those logs...

  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

More information about the Snort-users mailing list