OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 23.7 Legacy Series »
  • Suricata issue on PPPoE interface. Logs consumes 80GB of space in less than 2h.
« previous next »
  • Print
Pages: [1]

Author Topic: Suricata issue on PPPoE interface. Logs consumes 80GB of space in less than 2h.  (Read 1027 times)

uriel1981

  • Newbie
  • *
  • Posts: 1
  • Karma: 0
    • View Profile
Suricata issue on PPPoE interface. Logs consumes 80GB of space in less than 2h.
« on: October 02, 2023, 08:02:49 pm »
Hi
recently I decided to go from OPNsense VM (on Vmware) to physical one.
After deploying and configure as it was on my VM after few hours OPNsense Web GUI stopped to work.
I saw that on suricata log folder there are almost 80 GB of logs :/

in that log i found :
2023-10-02T13:54:38   Error   suricata   [101232] <Error> -- [ERRCODE: SC_ERR_NETMAP_READ(264)] - Error reading netmap data via polling from iface 'pppoe0^': (55u) No buffer space available   
2023-10-02T13:54:38   Error   suricata   [101232] <Error> -- [ERRCODE: SC_ERR_NETMAP_READ(264)] - Error reading netmap data via polling from iface 'pppoe0^': (55u) No buffer space available   
2023-10-02T13:54:38   Error   suricata   [101225] <Error> -- [ERRCODE: SC_ERR_NETMAP_READ(264)] - Error reading netmap data via polling from iface 'pppoe0': (55u) No buffer space available   
2023-10-02T13:54:38   Error   suricata   [101225] <Error> -- [ERRCODE: SC_ERR_NETMAP_READ(264)] - Error reading netmap data via polling from iface 'pppoe0': (55u) No buffer space available   
2023-10-02T13:54:38   Error   suricata   [101225] <Error> -- [ERRCODE: SC_ERR_NETMAP_READ(264)] - Error reading netmap data via polling from iface 'pppoe0': (55u) No buffer space

this is a bit strange because after I disabled suricata service logs ware still growing. I had to disable any logs from being written to disk. on SYSTEM->SETTINGS->Logging, I had to check this option "Disable writing log files to the local disk" to be able to safe OPNsense box from being unavailable.
Honestly I have no idea where to look further.

I found a topic from 2019 that suricata has some issues with netmap driver on PPPoE interfacess, but I was using the same setup for years now in my Vmware box as virtual machine, It was ok for 4 years now.

I also use ZENARMOR on LAN interface as I was using it before, no issue whatsoever.
Only difference is now I'm using box with 10GB nic Intel x540-t2.
Unfortunately I'm sharing some services that is why I need this suricata on my wan interface to be working ;(

Does anybody has the same issue and was able to solve this?

also I'm not verry good in Linux/bsd systems That's why I search the forums for a solution to a problem that is similar or the same as mine


OPNsense is in version 23.7.5

regards
« Last Edit: October 02, 2023, 09:27:26 pm by uriel1981 »
Logged

newsense

  • Hero Member
  • *****
  • Posts: 1037
  • Karma: 77
    • View Profile
Re: Suricata issue on PPPoE interface. Logs consumes 80GB of space in less than 2h.
« Reply #1 on: October 03, 2023, 04:01:33 am »
That many logs is a clear indication of one or more rules misifiring, so you need to look into what's generating the noise.

If you touched the number of saved logs you might want to revisit Suricata settings, and maybe set the rotation to daily.
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 23.7 Legacy Series »
  • Suricata issue on PPPoE interface. Logs consumes 80GB of space in less than 2h.
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2