NSM: sensor cleanup fails when there are a high number of pcaps #1234

Security-Onion-Solutions · Apr 11, 2018 · b817151 · b817151
1 parent 69943a4
commit b817151
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/usr/lib/nsmnow/lib-nsm-sensor-utils b/usr/lib/nsmnow/lib-nsm-sensor-utils
@@ -368,8 +368,8 @@ sensor_cleandisk()
 				# there are no pcaps from previous days, so look for pcaps from today that we can delete
 			        CUR_USAGE=$(df -P $SENSOR_DIR | grep -v -i filesystem | awk '{print $5}' | tr -d %)
 				# keep looping until EITHER disk usage is no longer critical OR we're out of pcaps to delete
-				while [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ] && [ `ls $SENSOR/dailylogs/$TODAY/snort.log.* | wc -l` -gt 1 ]; do
-					PCAP=`ls $SENSOR/dailylogs/$TODAY/snort.log.* |head -1`
+				while [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ] && [ `find $SENSOR/dailylogs/$TODAY/ -type f -name 'snort.log.*' | wc -l` -gt 1 ]; do
+					PCAP=`find $SENSOR/dailylogs/$TODAY/ -type f -name 'snort.log.*' | sort | head -1`
 					echo_msg 1 "removing pcap from today's directory: $PCAP"
 					rm -f "$PCAP"
 				        CUR_USAGE=$(df -P $SENSOR_DIR | grep -v -i filesystem | awk '{print $5}' | tr -d %)