[Emerging-Sigs] U2 Filesystem, Log Rotation, and Cleanup

Martin Holste mcholste at gmail.com
Thu Oct 13 12:15:12 EDT 2011

> 1. I'm looking at moving my unified2 spooling to a memory disk
> filesystem. Has anyone seen any real improvements doing this?

Compared with packet processing, this should be incredibly low-load
and inconsequential.  If it's not, you're doing it wrong.

> 2. What is the best general practice for dealing with U2 log rotation
> and clean up? Are you guys storing your U2 files for later processing
> and analysis?
I have unified streamed as syslog and delete the u2 files, but that's
because I have a full NSM setup which gives me the packet data I need
for later use.  If the u2 files are the only place you've got the
packet data, I recommend keeping them around for as long as you think
you may want to follow-up on an incident or check for trends.
However, if you've got a mature enough setup to want to do those
things, you've probably already got full pcap going somewhere.

