Please include the following information with your help request:
- Suricata version : 7.0.7
- Operating system and/or Linux distribution : We use our own distro (AOS-CX)
- How you installed Suricata (from source, packages, something else) : source
Hi Team,
Directory: /var/log/suricata/
filesystem: tmpfs
Mount point: /var/volatile
Memory: 1.8GB
is there a way to inform suricata daemon to use(assume 1GB) certain amount of memory for logs ?
Are you talking about the disk space used for the files or actually memory?
Asking this question because there could be a scenario where based on malicious traffic suricata could generate huge alert logs with in a small period of time and could consume entire 1.8 GB tmpfs memory and this could result in rebooting the device.
I am talking in production point of view(customer environment), I mean in live scenario where device is running suricata.
You could setup logrotate or other measures on the OS level to prevent this. But 1.8GB of memory for Suricata and also as tmpfs for logs is just too small.
Depending on the log types you will even reach those limits with normal traffic quite fast. So ideally setup logrotate and thresholds and maybe forward the logs to an external system.
@Andreas_Herz ,
Actually under outputs/eve-log section in suricata.yaml, we have enabled level alert and rest of the things are commented, so we don’t expect huge logs.
We have 1.8GB for all the processes and this cant be given to suricata daemon alone, so we are checking whether we can inform suricata to use only certain amount of memory for logs.
How much traffic do you expect and how many signatures do you use?
What packet capture mode is used?
Even if Suricata would have solely 1.8GB I would doubt it would perform regardless of any logging.
As I said you have to use system level tools to do the limiting.