"
More findings (my OPNSense router has 16GB of RAM):
- the default OPNSense setup has log configuration to use 50% of memory for ramdisk (/var/log) to store logs (in my case about 8GB of ram)
- the last matching rule of default deny any and default pass is configured (by default) to do logging (/var/log/filter/filter*.log)
- so after 16-20hours of working, the /var/log ramdisk is about full usage.
- then schedule task for Suricata is fired, new rules downloaded and applied
- based that (in my case) Suricata i using about 6.5-7GB of RAM, it use about 10-11GB during new rules applying process
- 8GB of ramdisk + 10GB Suricata process = OOM killer job
PS: I reconfigured /var/log ram disk to take 3.5GB and 4 days log rotating, then the remote logging is configured to store logs for longer time. I will watch, what will happen to Suricata then.
- the default OPNSense setup has log configuration to use 50% of memory for ramdisk (/var/log) to store logs (in my case about 8GB of ram)
- the last matching rule of default deny any and default pass is configured (by default) to do logging (/var/log/filter/filter*.log)
- so after 16-20hours of working, the /var/log ramdisk is about full usage.
- then schedule task for Suricata is fired, new rules downloaded and applied
- based that (in my case) Suricata i using about 6.5-7GB of RAM, it use about 10-11GB during new rules applying process
- 8GB of ramdisk + 10GB Suricata process = OOM killer job
PS: I reconfigured /var/log ram disk to take 3.5GB and 4 days log rotating, then the remote logging is configured to store logs for longer time. I will watch, what will happen to Suricata then.
