<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Arial",sans-serif;
color:windowtext;
font-weight:normal;
font-style:normal;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Courier New";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head><body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif">I am trying to get log rotation working. I have put this in my suricata.yaml file to attempt log rotation every 1 minute. Using Suricata 4.0.4<br>
<br>
as a side note, I’m not sure where I came up with this.<br>
<br>
- eve-log:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"> enabled: yes<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"> filetype: regular #regular|syslog|unix_dgram|unix_stream|redis<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"> filename: biflow.json<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"> rotate-interval: 1m<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"> types:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"> # bi-directional flows<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"> - flow<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"> # uni-directional flows<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"> #- netflow<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"> # Vars log flowbits and other packet and flow vars<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"> #- vars<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"> #<o:p></o:p></span></p>
<pre><span style="font-family:"Arial",sans-serif"><br>The documentation says<br><br><o:p></o:p></span></pre>
<pre><span style="font-family:"Arial",sans-serif;color:#404040;background:#FCFCFC">The following is an example <em><span style="font-family:"Arial",sans-serif">logrotate</span></em> configuration file that will rotate Suricata log files then send Suricata a SIGHUP triggering Suricata to open new files:</span><span style="font-family:"Arial",sans-serif"><br><br></span><span style="font-size:9.0pt;font-family:Consolas;color:#404040">/var/log/suricata/*.log /var/log/suricata/*.json<o:p></o:p></span></pre>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:Consolas;color:#404040">{<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:Consolas;color:#404040"> rotate 3<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:Consolas;color:#404040"> missingok<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:Consolas;color:#404040"> nocompress<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:Consolas;color:#404040"> create<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:Consolas;color:#404040"> sharedscripts<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:Consolas;color:#404040"> postrotate<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:Consolas;color:#404040"> /bin/kill -HUP `cat /var/run/suricata.pid 2>/dev/null` 2>/dev/null || true<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:Consolas;color:#404040"> endscript<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:Consolas;color:#404040">}<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"><br>
I am however, unclear as to where this goes or how it is used.<br>
<br>
Could I get just a little more guidance please????????<br>
<br>
Thanks in Advance<o:p></o:p></span></p>
</div>
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender
immediately and permanently delete the message and any attachments.
<br /><br />. . . . .</body></html>