I or maybe you have a problem there is no disk space due to MySQL database on Security Onion Sensor Server. Upon investigating, I realized a table is huge around 34GB.
$ find / -type f -name '*.ARN' -size +1024M -ls
524481 36073464 -rw-rw---- 1 mysql mysql 36939788428 May 26 12:41 /var/lib/mysql/syslog_data/syslogs_archive_1004053.ARN
The table is related to ELSA including MySQL, Sphinx and syslog-ng.
To delete the huge file elegantly, we can use a script, /usr/bin/securityonion-elsa-reset-archive, but the target table of the script is fixed to ‘syslogs_archive_1’. So you can use the script after replacing the table name to found one above or type some commands directly as below.
$ mysql --defaults-file=/etc/mysql/debian.cnf syslog_data \ -e "DROP TABLE syslog_data.syslogs_archive_1004053" $ mysql --defaults-file=/etc/mysql/debian.cnf syslog_data \ -e "DELETE FROM syslog.tables \ WHERE table_name='syslog_data.syslogs_archive_10024053'" $ rm /var/lib/mysql/syslog_data/syslogs_archive_1004053.ARN
If you want to remove all of tables, whose name is start with ‘syslogs_archives_1’, you can utilize the sql below.
SELECT CONCAT('DROP TABLE ', GROUP_CONCAT(table_name), ';') as statement
FROM information_schema.tables
WHERE table_name LIKE 'syslogs_archive_1%'
Basically, you need to adjust a value of retention_days of ‘/etc/elsa_node.conf’ because the huge table belongs to ELSA.
BTW, the reason why the table in question became huge is still remain. I just tried delete it as above. Sorry for that.
Practical Security 