Replies: 1 comment · 2 replies
-
|
In 3.0, pcap is now captured via Suricata instead of Stenographer. What is your maxsize (Administration -> Configuration -> suricata -> pcap -> maxsize) set to? You might try lowering that significantly as a test. I imagine you'll need to manually clear out your nsm again in order to get things back to normal before your test. The formula for how maxsize works is here: #15626 . |
Beta Was this translation helpful? Give feedback.
-
|
Is there a "safe" way to manually clean out the nsm partition? I am having the same issues and suricata is configured correctly. |
Beta Was this translation helpful? Give feedback.
-
|
Do you have production data you need to keep or is this a test environment and you can delete all the data and start over? If it's the latter, I'd say a sudo so-nsm-clear should do the trick. Here's another thread that may be helpful: #5839 |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Version
3.0.0
Installation Method
Security Onion ISO image
Description
upgrading
Installation Type
Distributed
Location
on-prem with Internet access
Hardware Specs
Exceeds minimum requirements
CPU
12
RAM
16
Storage for /
166
Storage for /nsm
334
Network Traffic Collection
span port
Network Traffic Speeds
Less than 1Gbps
Status
No, one or more services are failed (please provide detail below)
Salt Status
No, there are no failures
Logs
No, there are no additional clues
Detail
after upgrade to version 3.0 on the sensor node the nsm gets full and zeek process dies.
i tried manualy deleting the nsm partion. after one day the problem is the same.
i am running this in a home lab enviroment. the sensor is a physical machine with the specs above.
what can i do to fix it ?
Thank you.
Guidelines
Beta Was this translation helpful? Give feedback.
All reactions