Monday, January 26, 2015

New version of sguil-db-purge helps prevent Sguil uncategorized events from getting out of control

We have a new version of sguil-db-purge which should help prevent your Sguil uncategorized events from getting out of control.  sguil-db-purge now adds a new configuration parameter to /etc/nsm/securityonion.conf called UNCAT_MAX (and sets it to 100000 by default).  If the number of Sguil uncategorized events is higher than UNCAT_MAX, then sguil-db-purge will categorize the oldest events until UNCAT_MAX is reached.

I've packaged this new version and it has been tested by David Zawdie (thanks!).

The new package version is:
 securityonion-sguil-db-purge - 20120722-0ubuntu0securityonion10

Issues Resolved

Issue 672: sguil-db-purge: check for UNCAT_MAX
https://code.google.com/p/security-onion/issues/detail?id=672

Updating
The new package is now available in our stable repo.  Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade

Screenshots

The next time sguil-db-purge runs, it adds UNCAT_MAX=100000 to /etc/nsm/securityonion.conf

If there are less than UNCAT_MAX uncategorized events, no action is necessary

If we set UNCAT_MAX to a number smaller than our number of uncategorized events...

...then sguil-db-purge categorizes the oldest events until we get down to UNCAT_MAX


Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

Commercial Support
Need training and/or commercial support?  Please see:
http://securityonionsolutions.com

Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers

Thanks!

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.