Suricata issue on PPPoE interface. Logs consumes 80GB of space in less than 2h.

Started by uriel1981, October 02, 2023, 08:02:49 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 02, 2023, 08:02:49 PM Last Edit: October 02, 2023, 09:27:26 PM by uriel1981
Hi
recently I decided to go from OPNsense VM (on Vmware) to physical one.
After deploying and configure as it was on my VM after few hours OPNsense Web GUI stopped to work.
I saw that on suricata log folder there are almost 80 GB of logs :/

in that log i found :
2023-10-02T13:54:38   Error   suricata   [101232] <Error> -- [ERRCODE: SC_ERR_NETMAP_READ(264)] - Error reading netmap data via polling from iface 'pppoe0^': (55u) No buffer space available   
2023-10-02T13:54:38   Error   suricata   [101232] <Error> -- [ERRCODE: SC_ERR_NETMAP_READ(264)] - Error reading netmap data via polling from iface 'pppoe0^': (55u) No buffer space available   
2023-10-02T13:54:38   Error   suricata   [101225] <Error> -- [ERRCODE: SC_ERR_NETMAP_READ(264)] - Error reading netmap data via polling from iface 'pppoe0': (55u) No buffer space available   
2023-10-02T13:54:38   Error   suricata   [101225] <Error> -- [ERRCODE: SC_ERR_NETMAP_READ(264)] - Error reading netmap data via polling from iface 'pppoe0': (55u) No buffer space available   
2023-10-02T13:54:38   Error   suricata   [101225] <Error> -- [ERRCODE: SC_ERR_NETMAP_READ(264)] - Error reading netmap data via polling from iface 'pppoe0': (55u) No buffer space

this is a bit strange because after I disabled suricata service logs ware still growing. I had to disable any logs from being written to disk. on SYSTEM->SETTINGS->Logging, I had to check this option "Disable writing log files to the local disk" to be able to safe OPNsense box from being unavailable.
Honestly I have no idea where to look further.

I found a topic from 2019 that suricata has some issues with netmap driver on PPPoE interfacess, but I was using the same setup for years now in my Vmware box as virtual machine, It was ok for 4 years now.

I also use ZENARMOR on LAN interface as I was using it before, no issue whatsoever.
Only difference is now I'm using box with 10GB nic Intel x540-t2.
Unfortunately I'm sharing some services that is why I need this suricata on my wan interface to be working ;(

Does anybody has the same issue and was able to solve this?

also I'm not verry good in Linux/bsd systems That's why I search the forums for a solution to a problem that is similar or the same as mine


OPNsense is in version 23.7.5

regards
October 03, 2023, 04:01:33 AM #1
That many logs is a clear indication of one or more rules misifiring, so you need to look into what's generating the noise.

If you touched the number of saved logs you might want to revisit Suricata settings, and maybe set the rotation to daily.
Print
Go Up Pages1
User actions