Skip to content
This repository has been archived by the owner on Apr 16, 2021. It is now read-only.

sensor-clean: add option to skip removal of bro or argus logs #523

Closed
GoogleCodeExporter opened this issue Mar 24, 2015 · 4 comments
Closed

sensor-clean: add option to skip removal of bro or argus logs #523

GoogleCodeExporter opened this issue Mar 24, 2015 · 4 comments
Labels
auto-migrated Priority-Medium Type-Defect

Comments

@GoogleCodeExporter
Copy link 

The following patches [1] add options to skip the removal of Bro or ARGUS (or 
both) logs since
they have potential for long term storage due to their small size. e.g. The 
user would add ``--skip-bro''
to the sensor-clean cronjob to put this into effect. 

Notes:
The default is to not skip removal of any logs, same as prior to the patch.
If --skip-bro is used, /nsm/bro/extracted files are still removed.

[1] 
https://github.com/jonschipp/security-onion/commit/9aa1b261a4ff969057ad6dbadd27f
4883657ddd6

Original issue reported on code.google.com by jonsch...@gmail.com on 5 Apr 2014 at 3:00
@GoogleCodeExporter
Copy link
Author 

Is this of interest? 

If you want this in a different format let me know e.g. standard patch. 
You can just copy the files in the repo to their respective locations in SO.

Original comment by jonsch...@gmail.com on 20 Apr 2014 at 5:39

  • Added labels: ****
  • Removed labels: ****

@GoogleCodeExporter
Copy link
Author 

Hi Jon,

I like the idea!  Thanks for the patch.

Some feedback on nsm_sensor_clean:

- looks like the --skip-both option is setting SKIP_REMOVAL=ARGUS.  Should that 
be SKIP_REMOVAL=BOTH?

- instead of having folks edit the sensor-clean cronjob, what if it were a 
config option in /etc/nsm/securityonion.conf?  See WARN_DISK_USAGE and 
CRIT_DISK_USAGE near the end of the file, right above the sensor_cleandisk call.

Some feedback on lib-nsm-sensor-utils:

- Should the following line be checking for "BRO" instead of "$BRO"?

            if [ "$SKIP_REMOVAL" == "NONE" ] || [ "$SKIP_REMOVAL" == "$BRO" ]

Thanks!

Original comment by doug.bu...@gmail.com on 20 Apr 2014 at 6:00

  • Added labels: ****
  • Removed labels: ****

@GoogleCodeExporter
Copy link
Author 

Applied fixes [1] and suggestion [1][2]. Thanks.


 -          if [ "$SKIP_REMOVAL" == "NONE" ] || [ "$SKIP_REMOVAL" == "$BRO" ]
 +          if [ "$SKIP_REMOVAL" == "NONE" ] || [ "$SKIP_REMOVAL" == "BRO" ]

-           SKIP_REMOVAL=ARGUS
+           SKIP_REMOVAL=BOTH

+SKIP_REMOVAL=NONE
  CONF="/etc/nsm/securityonion.conf"

  if [ -f $CONF ]; then
 @@ -190,6 +191,7 @@ if [ -f $CONF ]; then
    # If $CONF doesn't have these variables, add them
    grep WARN_DISK_USAGE $CONF >/dev/null || echo "WARN_DISK_USAGE=80" >> $CONF
    grep CRIT_DISK_USAGE $CONF >/dev/null || echo "CRIT_DISK_USAGE=90" >> $CONF
 +  grep SKIP_REMOVAL    $CONF >/dev/null || echo "SKIP_REMOVAL=NONE"  >> $CONF
  fi

Add SKIP_REMOVAL to so setup [2]


[1]https://github.com/jonschipp/securityonion/commit/cca7969f2cea24ff8bc5c9088dc
50a44924f5495#diff-58c73f792d9d1289600ba4567f56ec40R194/#196
[2] 
https://github.com/jonschipp/security-onion/commit/27c4f25b97605bb82319709513165
0976aa70122

Original comment by jonsch...@gmail.com on 20 Apr 2014 at 8:00

  • Added labels: ****
  • Removed labels: ****

@GoogleCodeExporter
Copy link
Author 

Thanks, added to Roadmap!

Original comment by doug.bu...@gmail.com on 20 Apr 2014 at 8:04

  • Added labels: ****
  • Removed labels: ****

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
auto-migrated Priority-Medium Type-Defect
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dougburks @GoogleCodeExporter