Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Need to move the log storage path #1738

Closed
SAIKATDASGITHUB opened this issue Jan 16, 2025 · 3 comments
Closed

Need to move the log storage path #1738

SAIKATDASGITHUB opened this issue Jan 16, 2025 · 3 comments
Labels
experimental no basic support info Please follow the guidelines so we can help question testing

Comments

@SAIKATDASGITHUB
Copy link

  • What OS are you T-Pot running on?
    Ubuntu
  • What is the version of the OS lsb_release -a and uname -a?
    Ubuntu 22.04.5 LTS, Linux gag02********* 6.8.0-1020-azure Syslog dashboard by default filtering on type:"Syslog" instead "*" #23~22.04.1-Ubuntu SMP x86_64 GNU/Linux
  • What T-Pot version are you currently using (only T-Pot 24.04.x is currently supported)?
    24.04
  • What architecture are you running on (i.e. hardware, cloud, VM, etc.)?
    Azure VM
  • Review the ~/install_tpot.log, attach the log and highlight the errors.
    No error
  • How long has your installation been running?
    Many years
    • If it is a fresh install consult the documentation first.
      Not a fresh install
    • Most likely it is a port conflict or a remote dependency was unavailable.
      No
  • Did you install upgrades, packages or use the update script?
    Long back
  • Did you modify any scripts or configs? If yes, please attach the changes.
    No
  • How much free disk space is available (df -h)?
    This is the issue which I am going to explain
  • What is the current container status (dps)?
    All container running
  • On Linux: What is the status of the T-Pot service (systemctl status tpot)?
    Running
  • What ports are being occupied? Stop T-Pot systemctl stop tpot and run grc netstat -tulpen
    Not related to port

TPOT is running in our environment from many years and we have updated it previously. There is no issue in running TPOT and it is running perfectly. It is a distributed setup and recently we have installed some more sensors. After installing sensors there is now an issue occurred related to disk space. As you can find in the screenshot the TPOT is storing the logs in the /dev/mapper/osencrypt. The current storage is TPOT install path under tpotce/data and tpotce/data is part of this /dev/mapper/osencrypt.

The issue here is this part of disk is encrypted so we cannot really increase the size of this /. We are planning to move the data storage path to /data1 which has a 251GB storage and then also direct the ELK to use this path accordingly. We do not want to disrupt our stable environment with some trials. So can you please guide us how to do this? Here are the requirements:

  • Log storage path need to move to /data1. Currently log is storing in tpotce/data which is part of /dev/mapper/osencrypt
  • Modify the ELK setting accordingly so that the dashboard and log storage works smoothly
  • Any other setting if we need to modify
Disk
@github-actions github-actions bot added the no basic support info Please follow the guidelines so we can help label Jan 16, 2025
@SAIKATDASGITHUB SAIKATDASGITHUB changed the title How to Need to move the log storage path Jan 16, 2025
@t3chn0m4g3
Copy link
Member

🚨 Disclaimer: This is purely experimental 🚨

This is probably the best procedure for this ...

  1. Stop all T-Pot services: [sudo] systemctl stop tpot
  2. Make a backup of the $HOME/tpotce/data folder
  3. Copy the data folder to the new destination: [sudo] cp -r data /new/dest/
  4. Make sure the user T-Pot was installed with is the owner: [sudo] chown -R username:username /new/dest/data
  5. Create a static link: ln -s /new/dest/data $HOME/tpotce
  6. Verify the static link points to the correct destination: ls -al $HOME/tpotce, the data folder should now point to the new destination, i.e.: data -> /new/dest/data
  7. Start the T-Pot services again: [sudo] systemctl start tpot
  8. Check the tpotinit log for errors: docker logs tpotinit -f

... yet, I recommend doing this on a test machine first. As this is experimental it might have side effects currently not showing or with later updates that might require repeating the procedure.

@SAIKATDASGITHUB
Copy link
Author

Hi,

I will test it. But before that I have a question.
Is it not possible to modify the docker-compose.yml file and modify this line - ${TPOT_DATA_PATH}:/data to direct it to the path which has 251gb storage. Doing this for the entire document and rerun the yml file?

@t3chn0m4g3
Copy link
Member

You can simply try and adjust $HOME/tpotce/.env since we started implementing a config option exactly for that ... :

# T-Pot Data Path
TPOT_DATA_PATH=./data

... but this has not been completed yet and, as the other way I described, it is still experimental and needs work / is untested on a larger scale, hence the disclaimer ... :

###################################################################################
# NEVER MAKE CHANGES TO THIS SECTION UNLESS YOU REALLY KNOW WHAT YOU ARE DOING!!! #
###################################################################################

All the best of luck.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
experimental no basic support info Please follow the guidelines so we can help question testing
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@t3chn0m4g3 @SAIKATDASGITHUB