-
Notifications
You must be signed in to change notification settings - Fork 190
Sweet Security Server
Service Name: sweetsecurity_server
Installation Path: /opt/sweetsecurity/server
Log File: /var/log/sweetsecurity_server.log
The processing for the Sweet Security Server is kicked off from /opt/sweetsecurity/server/main.py.
There are currently two processing threads for Sweet Security Server:
Frequency: 60 minutes
Logastash/Elasticsearch do not have any method to clean up logs out of the box. In a typical home network, a million logs per day can be collected. Depending on the storage available on the Sweet Security Server, storage will be consumed in a matter of weeks. The thread will alert (if configured) the user when disk usage has hit 85%. Additionally, it will check the 'defaultLogRetention' value stored on the sweet_security index. If the value is set to anything other than '0', logic will be kicked off to delete logs older than the configured date.
Logstash stores logs in a daily index in a format such as:
logstash-2017-07-14
If the defaultLogRetention value is set to 7, and today is July 26th, the following will happen:
- logstash-2017-07-14 <-- Delete index. it's 12 days old
- logstash-2017-07-15 <-- Delete index, it's 11 days old
- logstash-2017-07-16 <-- Delete index, it's 10 days old
- logstash-2017-07-17 <-- Delete index, it's 9 days old
- logstash-2017-07-18 <-- Delete index, it's 8 days old
- logstash-2017-07-19
- logstash-2017-07-20
- logstash-2017-07-21
- logstash-2017-07-22
- logstash-2017-07-23
- logstash-2017-07-24
- logstash-2017-07-25
- logstash-2017-07-26
Frequency: 5 minutes
Any logs gathered from /opt/nsm/bro/logs/current/files.log will be analyzed and sent to the filecheck.io API (if configured). The response is then stored in the filecheckscore field for that log. If the file is considered to be malicious, it will send an alert to the user (if configured).
This logic is intended to be a template for users to integrate other threat intel providers for things such as IP's, URL's, and file hashes.
- SweetSecurity_Server service does not start when using the 2017-07-05-raspbian-jessie image. The urllib3 module needs to be downgraded to 1.23 "pip install urllib3==1.23"