[Emerging-Sigs] U2 Filesystem, Log Rotation, and Cleanup

Korodev korodev at gmail.com
Thu Oct 13 13:07:45 EDT 2011


> I have unified streamed as syslog and delete the u2 files, but that's
> because I have a full NSM setup which gives me the packet data I need
> for later use.  If the u2 files are the only place you've got the
> packet data, I recommend keeping them around for as long as you think
> you may want to follow-up on an incident or check for trends.
> However, if you've got a mature enough setup to want to do those
> things, you've probably already got full pcap going somewhere.

As of now, I'm dumping the u2 files to a DB (using BY2 w/waldo) and
keeping them around for some separate processing, but I never
absolutely have to go back to the u2 files for data. I'm in how others
are handling u2 log rotation and deletion without colliding with BY2.
Ideally, I wish there was a way for BY2 to "clean-up" after itself.

\\korodev


More information about the Emerging-sigs mailing list