Technical Tip: How to prevent FortiSIEM filesystem full crashes

It is possible for FortiSIEM to receive an abnormally huge load where a lot of system logs are written too quickly to be rotated. This can fill up the main / root disk and cause the appliance to become unresponsive.

To avoid these issues, the next steps will detail how to build a virtual disk within the FortiSIEM and set the logs in this disk to make the / root disk safer. From the super CLI as root:

1. Make sure root disk usage is less than 13GB and create the virtual disk image of 2 GB:

df -h /
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/rl-root 22G 11G 12G 49% /

dd if=/dev/zero of=/logVirtDisk.img bs=1M count=2400

mkfs -t ext4 /logVirtDisk.img

2. Stop the Apache service and prepare the directories:

cd /var/log

tar -czvf /tmp/httpd_logs.tar.gz httpd

systemctl stop httpd

rm -rf httpd/*

mount -t auto -o loop /logVirtDisk.img /var/log/httpd

echo "/logVirtDisk.img /var/log/httpd ext4 defaults 0 0" >> /etc/fstab

tar -xvf /tmp/httpd_logs.tar.gz

3. Change Apache security module configuration:

mkdir /var/log/httpd/mod_security

chown apache:root /var/log/httpd/mod_security

chmod 770 /var/log/httpd/mod_security

cp -rp /var/lib/mod_security/* /var/log/httpd/mod_security

rm -rf /var/lib/mod_security/*

cp /etc/httpd/conf.d/mod_security.conf /tmp/mod_security.conf_bak

sed -i 's#SecTmpDir .*#SecTmpDir /var/log/httpd/mod_security#' /etc/httpd/conf.d/mod_security.conf

sed -i 's#SecDataDir .*#SecDataDir /var/log/httpd/mod_security#' /etc/httpd/conf.d/mod_security.conf

4. Start apache

systemctl start httpd

Afterwards, FortiSIEM will be reachable again and Apache logs will be on a specific disk.

Note:

This configuration may need to be renewed after a FortiSIEM upgrade.