Low nsm partition usage #14148

rizzoloantony · 2025-01-24T18:38:24Z

rizzoloantony
Jan 24, 2025

Version

2.4.111

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

8

RAM

64

Storage for /

280GB

Storage for /nsm

8TB

Network Traffic Collection

span port

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

After 21 days of activity with an average traffic of 40Mb/s I have a NSM partition utilization of 29% with a PCAP retention of just 3 days. All system settings are at the default values. What could be the cause of the problem?

Guidelines

I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

Answered by dougburks

Feb 13, 2025

OK, so what is the setting at Administration > Configuration > suricata > pcap > maxsize?

View full answer

cm-ops · 2025-01-27T15:56:53Z

cm-ops
Jan 27, 2025
Maintainer

Do you think you should have more disk usage? What do your indices look like? sudo so-index-list

If you look in influxdb, what is your PCAP retention?

1 reply

rizzoloantony Feb 2, 2025
Author

all indexes are green and open. On average the indexes associated with ds-logs-suricata.alert-so-aaaa.mm.dd have an average size of 230mb. In influxb the value given for PCAP retention is 2.7 days, and in the alarm grid there is value 2 in the severity column for Low pcap retention.

dougburks · 2025-02-06T15:54:57Z

dougburks
Feb 6, 2025
Maintainer

What is the setting at Administration > Configuration > global > pcapengine?

2 replies

rizzoloantony Feb 12, 2025
Author

suricata

dougburks Feb 13, 2025
Maintainer

OK, so what is the setting at Administration > Configuration > suricata > pcap > maxsize?

Answer selected by rizzoloantony

rizzoloantony · 2025-02-13T18:58:35Z

rizzoloantony
Feb 13, 2025
Author

Current Grid Value: 25
nameofsystem_standalone: 1952

4 replies

dougburks Feb 13, 2025
Maintainer

OK, so what is the setting at Administration > Configuration > suricata > pcap > conditional?

rizzoloantony Feb 14, 2025
Author

Current Grid Value: All

dougburks Feb 14, 2025
Maintainer

What is the setting at Administration > Configuration > bpf > suricata?

Have you checked for additional clues in /opt/so/log/suricata/suricata.log?

What is the output of the following?

ls -alhR /nsm/suripcap/

rizzoloantony Feb 17, 2025
Author

I solved by increasing the maxsize value!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Low nsm partition usage #14148

{{title}}

Replies: 3 comments 7 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

Low nsm partition usage #14148

rizzoloantony Jan 24, 2025

Version

Installation Method

Description

Installation Type

Location

Hardware Specs

CPU

RAM

Storage for /

Storage for /nsm

Network Traffic Collection

Network Traffic Speeds

Status

Salt Status

Logs

Detail

Guidelines

Replies: 3 comments · 7 replies

cm-ops Jan 27, 2025 Maintainer

rizzoloantony Feb 2, 2025 Author

dougburks Feb 6, 2025 Maintainer

rizzoloantony Feb 12, 2025 Author

dougburks Feb 13, 2025 Maintainer

rizzoloantony Feb 13, 2025 Author

dougburks Feb 13, 2025 Maintainer

rizzoloantony Feb 14, 2025 Author

dougburks Feb 14, 2025 Maintainer

rizzoloantony Feb 17, 2025 Author

rizzoloantony
Jan 24, 2025

Replies: 3 comments 7 replies

cm-ops
Jan 27, 2025
Maintainer

rizzoloantony Feb 2, 2025
Author

dougburks
Feb 6, 2025
Maintainer

rizzoloantony Feb 12, 2025
Author

dougburks Feb 13, 2025
Maintainer

rizzoloantony
Feb 13, 2025
Author

dougburks Feb 13, 2025
Maintainer

rizzoloantony Feb 14, 2025
Author

dougburks Feb 14, 2025
Maintainer

rizzoloantony Feb 17, 2025
Author