ASL not deleting old alerts

Customer support forums for Atomic Protector (formerly Atomic Secured Linux). There is no such thing as a bad question here as long as it pertains to using Atomic Protector. Newbies feel free to get help getting started or asking questions that may be obvious. Regular users are asked to be gentle. :-)
hostingguy
Forum Regular
Forum Regular
Posts: 661
Joined: Mon Oct 29, 2007 6:51 pm

ASL not deleting old alerts

Unread post by hostingguy »

Hi,

not sure exactly when this happened - could have been when upgrading to 4.x, but it seems like ASL is no longer removing the old asl audit and logging directories/files in the same way it used to.

For example, on one of my boxes I have this set:
MODSEC_CLEAN_ALERT="3"
MODSEC_DATADIR="/var/asl/data/msa"
MODSEC_AUDITDIR="/var/asl/data/audit"
ALERTS_USE_DB="yes"
ASL_DB_RETENTION="7 days"
My understanding of these would be that the DB alerts are cleared out after 7 days, and the file alerts are cleaned out after 3.

However when looking at the audit dir, it looks like it has changed slightly from the previous:

old:
/var/asl/data/audit

new:
/var/asl/data/audit/apache


And my log directories are there from several weeks, not just the last 3 (or 7) days.
# asl -v


Atomic Secured Linux, version 4.0-10.el5.art: CloudLinux 5 (SUPPORTED)
Copyright Atomicorp 2005-2014
All Rights Reserved.

Extended Version Information:

ASL_VERSION 4.0-10
APPINV_VERSION 201402101531
CLAMAV_VERSION 201405151043
GEOMAP_VERSION 201405181158
GRSEC_VERSION 0
MODSEC_VERSION 201405182059
OSSEC_VERSION 201405151252
WAF_DELAYED_VERSION 0
KERNEL_VERSION 0

Is this a new and or known bug?
hostingguy
Forum Regular
Forum Regular
Posts: 661
Joined: Mon Oct 29, 2007 6:51 pm

Re: ASL not deleting old alerts

Unread post by hostingguy »

Opened case.
User avatar
CRServers
Forum User
Forum User
Posts: 54
Joined: Wed Jul 04, 2012 7:44 am
Location: Costa Rica

Re: ASL not deleting old alerts

Unread post by CRServers »

Our MySQL server crashed last night because of lack of disk space which brought server down.

I later found out that folder /var/asl/data/audit/apache was holding over 35G of space on that partition.

Can somebody point me to a solution to this problem?

It it safe to delete all that stuff there?

Shouldn't there be some mechanism in the software to prevent ASL from taken over all the space from the /var partition and causing a total server crash?

Thanks for your recommendations.
Regards,
Rodrigo Fernández
Image
http://www.crservers.com
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: ASL not deleting old alerts

Unread post by scott »

You can manage retention for this data in ASL Web under:

Settings->ASL Configuration->Web Application Firewall->Number of days to retain alerts

these records contain the detailed information from an attack that we would need for a false positive report, otherwise setting this to a short interval will not impact ASL or any other event tracking.
User avatar
CRServers
Forum User
Forum User
Posts: 54
Joined: Wed Jul 04, 2012 7:44 am
Location: Costa Rica

Re: ASL not deleting old alerts

Unread post by CRServers »

Thanks for your response.
That configuration could solve our issue.
I have changed the configuration paths (MODSEC_UPLOADDIR, MODSEC_DATADIR, and MODSEC_AUDITDIR) to save those files on a bigger partition.
But ASL keeps on saving them in the same place.
Do I have to restart anything to activate the file path changes?
Please advice.
Thanks,
Rodrigo Fernández
Image
http://www.crservers.com
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: ASL not deleting old alerts

Unread post by scott »

Did you run asl -s -f after that?
User avatar
CRServers
Forum User
Forum User
Posts: 54
Joined: Wed Jul 04, 2012 7:44 am
Location: Costa Rica

Re: ASL not deleting old alerts

Unread post by CRServers »

sorry
wrong thread
:(
Rodrigo Fernández
Image
http://www.crservers.com
Post Reply