Suricata 4.0.6, /data/suricata/eve.json files too large

Seifer · April 5, 2024, 4:38pm

Good afternoon,

Our eve-*.json files have grown to be very large, so much so that its filled our /data/suricata directory and has subsequently caused any and all suricata and splunk services on the device to stop. Additionally the device has become unable to be SSH’d into.

For example, here are the sizes:
1.6T eve-dnsnt80.json
48G eve-ids-attacknt80.json
15G eve-statsnt80.json
12G eve-statsnt40.json

Are any of these safe to delete?
Additionally, how can we manage these .json files better in the future? Can a cron job be made to delete these logs routinely?

I apologize if this doesn’t make too much sense, I am still very new to Suricata.

ish · April 5, 2024, 4:44pm

Please see the documentation on log rotation: 17.6. Log Rotation — Suricata 8.0.0-dev documentation

Suricata 6 and 7 do contain a template that can be used for reference in the ./etc/ directory.

Please note that Suricata 4 was end of life in 2019 and is no longer supported.

Topic		Replies	Views
Eve.json.1-<timestamp>.backup Help	1	426	April 6, 2021
Eve.json with 'weird' output and no ALERTS Help	1	485	December 8, 2021
Eve.json ingest to Splunk (over 100GB a day) Help	4	916	June 4, 2021
Eve.json & fast.log files stopped working randomly Help suricata	1	427	January 2, 2023
Suricata 6.0.9 on Ubuntu 22.04 not getting traffic at all Help	11	998	December 24, 2022

Suricata 4.0.6, /data/suricata/eve.json files too large

Related topics