Atomicorp

Security for Everyone
https://forums.atomicorp.com/

ASL not deleting old alerts

https://forums.atomicorp.com/viewtopic.php?t=7653

Page 1 of 1

ASL not deleting old alerts

Posted: Mon May 19, 2014 4:34 pm
by hostingguy
Hi,

not sure exactly when this happened - could have been when upgrading to 4.x, but it seems like ASL is no longer removing the old asl audit and logging directories/files in the same way it used to.

For example, on one of my boxes I have this set:
MODSEC_CLEAN_ALERT="3"
MODSEC_DATADIR="/var/asl/data/msa"
MODSEC_AUDITDIR="/var/asl/data/audit"
ALERTS_USE_DB="yes"
ASL_DB_RETENTION="7 days"
My understanding of these would be that the DB alerts are cleared out after 7 days, and the file alerts are cleaned out after 3.

However when looking at the audit dir, it looks like it has changed slightly from the previous:

old:
/var/asl/data/audit

new:
/var/asl/data/audit/apache


And my log directories are there from several weeks, not just the last 3 (or 7) days.
# asl -v


Atomic Secured Linux, version 4.0-10.el5.art: CloudLinux 5 (SUPPORTED)
Copyright Atomicorp 2005-2014
All Rights Reserved.

Extended Version Information:

ASL_VERSION 4.0-10
APPINV_VERSION 201402101531
CLAMAV_VERSION 201405151043
GEOMAP_VERSION 201405181158
GRSEC_VERSION 0
MODSEC_VERSION 201405182059
OSSEC_VERSION 201405151252
WAF_DELAYED_VERSION 0
KERNEL_VERSION 0

Is this a new and or known bug?

Re: ASL not deleting old alerts

Posted: Tue May 20, 2014 1:35 pm
by hostingguy
Opened case.

Re: ASL not deleting old alerts

Posted: Mon Nov 24, 2014 12:51 pm
by CRServers
Our MySQL server crashed last night because of lack of disk space which brought server down.

I later found out that folder /var/asl/data/audit/apache was holding over 35G of space on that partition.

Can somebody point me to a solution to this problem?

It it safe to delete all that stuff there?

Shouldn't there be some mechanism in the software to prevent ASL from taken over all the space from the /var partition and causing a total server crash?

Thanks for your recommendations.
Regards,

Re: ASL not deleting old alerts

Posted: Mon Nov 24, 2014 3:56 pm
by scott
You can manage retention for this data in ASL Web under:

Settings->ASL Configuration->Web Application Firewall->Number of days to retain alerts

these records contain the detailed information from an attack that we would need for a false positive report, otherwise setting this to a short interval will not impact ASL or any other event tracking.

Re: ASL not deleting old alerts

Posted: Tue Nov 25, 2014 12:22 pm
by CRServers
Thanks for your response.
That configuration could solve our issue.
I have changed the configuration paths (MODSEC_UPLOADDIR, MODSEC_DATADIR, and MODSEC_AUDITDIR) to save those files on a bigger partition.
But ASL keeps on saving them in the same place.
Do I have to restart anything to activate the file path changes?
Please advice.
Thanks,

Re: ASL not deleting old alerts

Posted: Wed Nov 26, 2014 8:32 pm
by scott
Did you run asl -s -f after that?

Re: ASL not deleting old alerts

Posted: Mon Sep 21, 2015 1:01 pm
by CRServers
sorry
wrong thread
:(
All times are UTC-04:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited