SELKS icon indicating copy to clipboard operation
SELKS copied to clipboard

Published 20 hours ago β€’ verified publisher icon StamusNetworks

πŸžπŸ‹ it remains only alters for 15 days.

Open ym2011 opened this issue 3 years ago β€’ 3 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

Current Behavior

i found there are lots of alters at 2022-07-11. Now I logined in the dashboard and then I found there are no any alters in the dashbord and I try the check why: there is no alter record in hunting, kibana, even box and eve.json before 15 days ago. there are only alters records between 2022-07-17 and 2022-07-28

Expected Behavior

No response

Steps To Reproduce

i just do follow: git clone https://github.com/StamusNetworks/SELKS.git cd /opt/SELKS/docker/ ./easy-setup.sh sudo docker-compose ps

and then i just let them running and nothing is changed.

Docker version

Docker version 20.10.12, build e91ed57

Docker version

docker-compose version 1.29.2, build 5becea4c

OS Version

Description: CentOS Linux release 7.9.2009 (Core)

Content of the environnement File

COMPOSE_PROJECT_NAME=SELKS INTERFACES= -i ens192 SCIRIUS_SECRET_KEY=yLMG-9jH1mRb2kAcsemkSxVmjPNu334QMLpZIIKB1bw ML_ENABLED=false

Version of SELKS

commit d874ad504fb027e03ed1fc40e10afa21744171d8 Author: Peter [email protected] Date: Fri Jun 24 12:53:21 2022 +0300

doc: fix formating

Anything else?

No response

ym2011 avatar Jul 28 '22 06:07 ym2011

Can you please list the contents of the suricata/log folder ?

ls -lh containers-data/suricata/logs/

And also the output of the command below:

cat  containers-data/suricata/logrotate/suricata

pevma avatar Jul 31 '22 15:07 pevma

ls -lh containers-data/suricata/logs/

total 1.2G -rw-r--r--. 1 chrony chrony 38M Aug 1 11:14 eve.json -rw-r--r--. 1 chrony chrony 227M Aug 1 10:00 eve.json.1 -rw-r--r--. 1 chrony chrony 226M Jul 31 10:01 eve.json.2 -rw-r--r--. 1 chrony chrony 416M Jul 30 10:01 eve.json.3 drwxr-xr-x. 2 chrony chrony 4.0K Aug 1 11:07 fpc -rw-r--r--. 1 chrony chrony 3.7M Aug 1 11:14 stats.log -rw-r--r--. 1 chrony chrony 68M Aug 1 10:00 stats.log.1 -rw-r--r--. 1 chrony chrony 68M Jul 31 10:01 stats.log.2 -rw-r--r--. 1 chrony chrony 122M Jul 30 10:01 stats.log.3 -rw-r--r--. 1 chrony chrony 43K Aug 1 10:01 suricata.log.1 -rw-r--r--. 1 chrony chrony 43K Jul 31 10:01 suricata.log.2 -rw-r--r--. 1 chrony chrony 139K Jul 30 10:01 suricata.log.3

cat containers-data/suricata/logrotate/suricata

/var/log/suricata/.log /var/log/suricata/.json { daily missingok rotate 3 nocompress sharedscripts postrotate suricatasc -c reopen-log-files endscript }

ym2011 avatar Aug 01 '22 03:08 ym2011

The log rotation on the files on disk works from the output above seems working ok.
The log management inside ES needs to be managed from here - https://github.com/StamusNetworks/SELKS/wiki/Docker#elasticsearch-data-and-log-rotation
as SELKS does not do that by default due to difference in all deployments.

pevma avatar Aug 01 '22 09:08 pevma

thanks, i think i found it because of Index Lifecycle Policies,named logstash-autodelete in kibana. there is a configure which will Delete phase and then move data into phase when 14 days ago. therefore I change the time to 180 days ago, alter records in hunting, kibana, even box can be remained long.

ym2011 avatar Aug 23 '22 02:08 ym2011