Hi all,
As discussed on the forum
https://community.ipfire.org/t/re-large-backupfile/15346
it appears that Suricata’s new cache optimisation feature is creating a
large number of files under
`/var/cache/suricata/sgh/`, which in some cases causes backup files to
grow to 800+ MB.
@Adolf has confirmed that this directory probably should not be included
in backups, as it is automatically regenerated, and I believe he
mentioned he is working on a patch to exclude it from the backup.
However, in the meantime, this directory continues to grow over time.
The upstream Suricata patches to automatically clean or maintain the
cache have not yet been merged, although they may be soon:
https://github.com/OISF/suricata/pull/13850
https://github.com/OISF/suricata/pull/14400
To me this represents a disk-space exhaustion risk on systems with
limited storage. Perhaps we should consider disabling Suricata’s new
cache optimisation feature until automatic cache cleanup/maintenance is
available upstream and included.
Thanks,
Adam
