[Oisf-devel] http.log file rollover
Martin Holste
mcholste at gmail.com
Wed Sep 7 11:49:56 EDT 2011
Actually, I think it's easier than that. If you simply create a
socket file named whatever Suricata is supposed to write out, it will
"just work" in most situations. Of course, there are the caveats of
losing logs when no one is reading from the socket, but as long as
Suricata's writer thread won't break if the destination is unwritable,
then there shouldn't be any adverse impact. I haven't actually tried
this, so someone should probably confirm that.
On Wed, Sep 7, 2011 at 9:26 AM, Victor Julien <victor at inliniac.net> wrote:
> Sounds good Martin. Can you open a feature ticket?
>
> On 09/07/2011 03:16 PM, Martin Holste wrote:
>> One thing you could do would be to have Suricata write to a socket
>> instead of a file. Syslog-ng and rsyslog (default on most new
>> Linuxes) will happily read from a socket, as will almost any program.
>> That would decouple Suricata from having to worry about those details.
>>
>> On Wed, Sep 7, 2011 at 5:34 AM, Victor Julien <victor at inliniac.net> wrote:
>>> On 09/05/2011 04:04 PM, Brant Wells wrote:
>>>> Hi All,
>>>>
>>>> Just a slight problem that I have noticed that when I logrotate the http.log
>>>> file for Suricata, when the system creates the new file, Suricata no longer
>>>> writes to the new, empty http.log file until I restart it.
>>>>
>>>> After forcing a logrotate, Suricata (or logrotate) didn't even create the
>>>> empty http.log file. Suricata continue to run normally, just without
>>>> updating that log file.
>>>>
>>>> Not sure if this is a bug or what-not, but figured I should pass it along
>>>> anyhow.
>>>
>>> I've seen this before in another project. It seems Suricata keeps
>>> writing to the old file descriptor while the file is actually at a new
>>> place (a new file was created by the rotate). I think most programs work
>>> around this by sending a signal which reopens the file. Not sure if a
>>> better solution exists.
>>>
>>>> Running from git: Suricata 1.1beta2 (rev 8855990) ...
>>>>
>>>> On another unrelated topic... I have compiled with --enable-debug ...
>>>>
>>>> If suricata crashes or what-not, where can I find the core dump?
>>>
>>> You'll have to set a ulimit: ulimit -c unlimited and then it will dump
>>> core to suricata's CWD, which is the dir you started it from normally.
>>>
>>> Still need to add that to the code/config to configure.
>>>
>>> Cheers,
>>> Victor
>>>
>>> --
>>> ---------------------------------------------
>>> Victor Julien
>>> http://www.inliniac.net/
>>> PGP: http://www.inliniac.net/victorjulien.asc
>>> ---------------------------------------------
>>>
>>> _______________________________________________
>>> Oisf-devel mailing list
>>> Oisf-devel at openinfosecfoundation.org
>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>>
>>
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
More information about the Oisf-devel
mailing list