Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
20.1 Legacy Series
»
Maltrail questions regarding disk usage
« previous
next »
Print
Pages: [
1
]
Author
Topic: Maltrail questions regarding disk usage (Read 3386 times)
Ricardo
Full Member
Posts: 233
Karma: 12
Maltrail questions regarding disk usage
«
on:
April 03, 2020, 11:55:06 am »
Hello all,
tried to find answers for my questions on maltrail site (
https://github.com/stamparm/maltrail
), but without success.
0) this is rather an improvement request: please make the password change for the admin maltrail account less painful, as it is currently via the main opnsense admin GUI
1) the maltrail creates their files under /.maltrail, and also writes to /root/var/log instead of /var. My /var and /tmp is on TMPFS to reduce the killing of the small SSD with constant log-related writes. Is there a plan to put maltrail pkg files under proper location, and utilize standard /var and /tmp for anything frequently written log files? I cannot really measure how much disk write traffic is generated to the rootfs due to maltrail writing their files there, MONIT most probably summarizes both true rootfs write traffic and tmpfs write traffic, so that can be misleading for me.
2) it seems memory usage has skyrocketed in the past days (uptime is currently around 1 month), even after I restarted the maltrail server service. Is there any way to see if the memory usage is "normal" or something is leaking memory / should I schedule a maintenance reboot of the whole router someday?
3) Can some maltrail threats marked manually to bypass, as those are false positives, and harmless? Due to the amount they are reported frequently and cause lot of noise.
In general, I am looking for some more in-depth tutorials, how to fine-tune maltrail. The official github page is talking about things from a different perspective, and dont help to solve the real-world questions one will ask about this software.
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: Maltrail questions regarding disk usage
«
Reply #1 on:
April 03, 2020, 03:16:00 pm »
0) No, too much effort for such a quick process. if someone wants to do it, I'm ok with it
1) The problem is that maltrail is started by configd which has no homedirectory, so trails are in /.
But logs should be on /var/log/maltrail .. are you sure you are watching the correct folder?
2) Can you check via "top -SPa" whats happening?
3) I planned this months ago but forgot about it. Maybe when I find time. Miroslav sent my an email today that alienvault should be added to bypass list, I will add this soon.
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
Ricardo
Full Member
Posts: 233
Karma: 12
Re: Maltrail questions regarding disk usage
«
Reply #2 on:
April 03, 2020, 03:41:05 pm »
0) To be honest, I didnt manage to perform that simple-looking password change sofar. If I copy-paste a calculated SHA256 hash of a simple string (without spaces or ENTER etc.) I am not allowed to login to the maltrail GUI on ROUTERIP:8338 with that new password. The default password lets me in though.
1)
root@FW01:/var/log # pwd
/var/log
root@FW01:/var/log # ls -l maltrail
lrwxr-xr-x 1 root wheel 22 Mar 6 20:00 maltrail -> /root/var/log/maltrail
root@FW01:/var/log #
root@FW01:/var/log # cd maltrail/
root@FW01:/var/log/maltrail # ls -l
total 1428
-rw-r--r-- 1 root wheel 2562 Feb 2 23:23 2020-02-02.log
-rw-r--r-- 1 root wheel 24497 Feb 3 20:50 2020-02-03.log
........
-rw-r--r-- 1 root wheel 27512 Apr 1 22:31 2020-04-01.log
-rw-r--r-- 1 root wheel 10968 Apr 2 22:17 2020-04-02.log
-rw-r--r-- 1 root wheel 3911 Apr 3 11:50 2020-04-03.log
-rw-rw-rw- 1 root wheel 728 Apr 3 15:33 error.log
lrwxr-xr-x 1 root wheel 22 Feb 2 06:26 maltrail -> /root/var/log/maltrail
2)
last pid: 24340; load averages: 0.96, 0.87, 0.83 up 27+18:31:48 15:32:24
68 processes: 2 running, 65 sleeping, 1 waiting
CPU 0: 4.7% user, 0.0% nice, 1.3% system, 2.4% interrupt, 91.7% idle
CPU 1: 9.9% user, 0.0% nice, 2.4% system, 0.0% interrupt, 87.7% idle
CPU 2: 10.2% user, 0.0% nice, 1.7% system, 0.3% interrupt, 87.7% idle
CPU 3: 8.5% user, 0.0% nice, 1.6% system, 0.2% interrupt, 89.8% idle
Mem: 205M Active, 1979M Inact, 995M Laundry, 547M Wired, 279M Buf, 192M Free
Swap:
PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND
11 root 4 155 ki31 0K 64K CPU0 0 2318.7 355.99% [idle]
68642 root 3 26 0 799M 746M select 3 84.1H 13.17% python3 /usr/local/share/maltrail/sensor.py (python3.7)
34290 root 3 26 0 799M 751M select 1 84.1H 13.15% python3 /usr/local/share/maltrail/sensor.py (python3.7)
65996 root 3 26 0 799M 748M select 0 84.1H 13.15% python3 /usr/local/share/maltrail/sensor.py (python3.7)
12 root 34 -56 - 0K 544K WAIT -1 829:41 2.02% [intr]
8285 root 3 20 0 1128M 1104M select 3 23.1H 1.99% python3 /usr/local/share/maltrail/sensor.py (python3.7)
15 root 1 -16 - 0K 16K pftm 3 27:25 0.08% [pf purge]
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: Maltrail questions regarding disk usage
«
Reply #3 on:
April 03, 2020, 05:09:22 pm »
0) I have to check at the weekend, long time ago I implemented it
1) This must be something with ramdisk mode, maybe there is something wrong since it's copied to /root when shutting down
2) 13% is "normal" in maltrail ..
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
Ricardo
Full Member
Posts: 233
Karma: 12
Re: Maltrail questions regarding disk usage
«
Reply #4 on:
April 03, 2020, 05:32:25 pm »
1) Maybe, I cannot say for sure, I use TMPFS on my main router for SSD write wear minimization.
2) I meant memory usage, not CPU usage.
«
Last Edit: April 03, 2020, 05:40:02 pm by Ricardo
»
Logged
Ricardo
Full Member
Posts: 233
Karma: 12
Re: Maltrail questions regarding disk usage
«
Reply #5 on:
April 06, 2020, 04:29:02 pm »
Is there anybody else, who see similar symptoms under similar router config (TMPFS e.g.)?
Logged
Ricardo
Full Member
Posts: 233
Karma: 12
Re: Maltrail questions regarding disk usage
«
Reply #6 on:
April 08, 2020, 12:50:42 pm »
Hello @mimugmail
did you manage to check the password change process?
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: Maltrail questions regarding disk usage
«
Reply #7 on:
April 08, 2020, 02:24:32 pm »
Hm, I can reproduce .. have to talk to Miro from Maltrail
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
Ricardo
Full Member
Posts: 233
Karma: 12
Re: Maltrail questions regarding disk usage
«
Reply #8 on:
April 15, 2020, 01:49:37 pm »
Strange thing: since the 20.1.4 installed last week, it now accepts the set new password. Maltrail plugin is 1.5 and maltrail package is 0.17
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: Maltrail questions regarding disk usage
«
Reply #9 on:
April 15, 2020, 02:37:35 pm »
There was an update to the plugin, but it was not related to this .. strange
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
20.1 Legacy Series
»
Maltrail questions regarding disk usage