Hi,
Since default config from Suricata states that it will put some info every 8 seconds into stats.log file, it can grow very large in no time. And if you access your server remotely, you can not become root, and sudo does not allow you zero that file.
When i say big, i mean gigabytes big, and most admins rarely look at that realtime data.
So, we need to take care of it.
To delete a file (Suricata will recreate it at start), stop the Suricata engine first :
[b]"sudo /etc/init.d/zentyal ips stop"[/b]Then delete the "stats.log" file (you can first check its size
)
[b]"sudo rm /var/log/suricata/stats.log"[/b]Then, we need to optimize that configuration a little. Open its main config file :
[b]"sudo nano /usr/share/zentyal/stubs/ips/suricata-debian.yaml.mas"[/b]And then locate a category "
stats:"
Under it you will find the line "interval: 8". That mean, that every 8 seconds file will be refreshed with new data. For starters, you can put there a 60 or so, and after a while, if you're not satisfied, play with those numbers a little. Save that file.
And then start the Suricata engine :
[b]"sudo /etc/init.d/zentyal ips start"[/b]P.S. If I can make some suggestions, I think Suricata is really a good choice for modern secure systems, and congrats to developers for choosing it over Snort.
But,first off all, we really shouldn't have that old version from Ubuntu repo, maybe you should build the last stable version and put it in your own repo.
And last but not least, some configuration changes should be implemented. Rules could be used from Emerging Threats. And does anybody know how are there rules updated? Or should we use oinkmaster for it ?
And definitely, not bound only to Suricata, better reporting module is needed, (GUI, better filtering options).
Topic: Suricata "stats.log" cleaning and configuration optimization (Read 6447 times)