|
It is possible for FortiSIEM to receive an abnormally huge load where a lot of system logs are written too quickly to be rotated. This can fill up the main / root disk and cause the appliance to become unresponsive.
To avoid these issues, the next steps will detail how to build a virtual disk within the FortiSIEM and set the logs in this disk to make the / root disk safer. From the super CLI as root:
- Make sure root disk usage is less than 13GB and create the virtual disk image of 2 GB:
df -h /
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/rl-root 22G 11G 12G 49% /
dd if=/dev/zero of=/logVirtDisk.img bs=1M count=2400
mkfs -t ext4 /logVirtDisk.img
- Stop the Apache service and prepare the directories:
cd /var/log
tar -czvf /tmp/httpd_logs.tar.gz httpd
systemctl stop httpd
rm -rf httpd/*
mount -t auto -o loop /logVirtDisk.img /var/log/httpd
echo "/logVirtDisk.img /var/log/httpd ext4 defaults 0 0" >> /etc/fstab
tar -xvf /tmp/httpd_logs.tar.gz
- Change Apache security module configuration:
mkdir /var/log/httpd/mod_security
chown apache:root /var/log/httpd/mod_security
chmod 770 /var/log/httpd/mod_security
cp -rp /var/lib/mod_security/* /var/log/httpd/mod_security
rm -rf /var/lib/mod_security/*
cp /etc/httpd/conf.d/mod_security.conf /tmp/mod_security.conf_bak
sed -i 's#SecTmpDir .*#SecTmpDir /var/log/httpd/mod_security#' /etc/httpd/conf.d/mod_security.conf
sed -i 's#SecDataDir .*#SecDataDir /var/log/httpd/mod_security#' /etc/httpd/conf.d/mod_security.conf
- Start apache
systemctl start httpd
Afterwards, FortiSIEM will be reachable again and Apache logs will be on a specific disk.
Note:
This configuration may need to be renewed after a FortiSIEM upgrade.
|
