Security Onion running out of space in the /nsm filesystems?

0

If you have insufficient space for Security Onion’s /nsm filesystems, then consider adjusting these parameters in the SOC (Administration > Configuration):

  • pcap > config > maxdirectoryfiles
    • Setting this value to roughly 144000 files yields roughly 100 days of packet capture, although you milage may vary. Be prepared to lower or raise this value as needed.
    • The default value of 30000 files amounts to approximately 21.4 days of packet capture for my use case. In other words, a yield of approximately 1401 files/day.
  • elasticsearch > index_settings > global_overrides > policy > phases > delete > min_age
    • Set this value close to the number of days of packet capture, say 100d, and you should be good. Be prepared to lower or raise this value as needed.

While here, if you adjust kratos > config > session > lifespan, only the following units are allowed:

  • h (hours)
  • m (minutes)
  • s (seconds)
  • ms (milliseconds)
  • us (microseconds)

If you specified 30d instead of the accepted 720h, hoping to achieve 30 days, to recover you must edit /opt/so/saltstack/local/pillar/kratos/soc_kratos.sls on the manager, and run sudo so-soc-restart, also on the manager.

Why anyone would use seconds, milliseconds, or even microseconds, be it on their own or combined with the larger units, remains a mystery.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>