<div dir="ltr"><div dir="ltr">That lines states that you should use "logrotate" program to handle log rotation<div><br></div><div>see <a href="https://linux.die.net/man/8/logrotate">https://linux.die.net/man/8/logrotate</a></div><div><br></div><div>Regards,</div><div>Davide</div></div><br><div class="gmail_quote"><div dir="ltr">Il giorno mar 27 nov 2018 alle ore 16:07 Charles Devoe <<a href="mailto:Charles.Devoe@cisecurity.org">Charles.Devoe@cisecurity.org</a>> ha scritto:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="m_-9047328502583736256WordSection1">
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif">I am trying to get log rotation working. I have put this in my suricata.yaml file to attempt log rotation every 1 minute. Using Suricata 4.0.4<br>
<br>
as a side note, I’m not sure where I came up with this.<br>
<br>
- eve-log:<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"> enabled: yes<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"> filetype: regular #regular|syslog|unix_dgram|unix_stream|redis<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"> filename: biflow.json<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"> rotate-interval: 1m<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"> types:<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"> # bi-directional flows<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"> - flow<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"> # uni-directional flows<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"> #- netflow<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"> # Vars log flowbits and other packet and flow vars<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"> #- vars<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"> #<u></u><u></u></span></p>
<pre><span style="font-family:"Arial",sans-serif"><br>The documentation says<br><br><u></u><u></u></span></pre>
<pre><span style="font-family:"Arial",sans-serif;color:#404040;background:#fcfcfc">The following is an example <em><span style="font-family:"Arial",sans-serif">logrotate</span></em> configuration file that will rotate Suricata log files then send Suricata a SIGHUP triggering Suricata to open new files:</span><span style="font-family:"Arial",sans-serif"><br><br></span><span style="font-size:9.0pt;font-family:Consolas;color:#404040">/var/log/suricata/*.log /var/log/suricata/*.json<u></u><u></u></span></pre>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:Consolas;color:#404040">{<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:Consolas;color:#404040"> rotate 3<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:Consolas;color:#404040"> missingok<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:Consolas;color:#404040"> nocompress<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:Consolas;color:#404040"> create<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:Consolas;color:#404040"> sharedscripts<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:Consolas;color:#404040"> postrotate<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:Consolas;color:#404040"> /bin/kill -HUP `cat /var/run/suricata.pid 2>/dev/null` 2>/dev/null || true<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:Consolas;color:#404040"> endscript<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:Consolas;color:#404040">}<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"><br>
I am however, unclear as to where this goes or how it is used.<br>
<br>
Could I get just a little more guidance please????????<br>
<br>
Thanks in Advance<u></u><u></u></span></p>
</div>
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender
immediately and permanently delete the message and any attachments.
<br><br>. . . . .</div>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/training/</a></blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div dir="ltr"><div dir="ltr"><table border="0" cellspacing="0" cellpadding="0" style="font-family:"Times New Roman";width:420px"><tbody><tr valign="top"><td><table border="0" cellspacing="0" cellpadding="0"><tbody><tr valign="top"><td style="text-align:initial;vertical-align:top;padding:0px 8px"><a href="http://www.certego.net/" target="_blank"><img width="96" height="96" src="http://www.certego.net/email/certego.png" alt="" style="border-radius:0px"></a></td><td style="text-align:initial;vertical-align:top;padding:4px 0px"><div style="padding-top:2px;color:rgb(0,172,237);font-weight:bold;font-stretch:normal;font-size:18px;line-height:normal;font-family:sans-serif;letter-spacing:1px">Davide Setti</div><div style="padding-top:2px;color:rgb(32,32,32);font-weight:bold;font-stretch:normal;font-size:14px;line-height:normal;font-family:sans-serif">R&D and Incident Response Team, Certego</div><div style="padding-top:4px"><a href="http://www.linkedin.com/company/certego" target="_blank" style="text-align:initial"><img width="24" height="24" src="http://www.certego.net/email/linkedin.png" style="border-radius:0px;border:0px;width:24px;min-height:24px"></a><span style="text-align:initial"> </span><a href="http://twitter.com/Certego_IRT" target="_blank" style="text-align:initial"><img width="24" height="24" src="http://www.certego.net/email/twitter.png" style="border-radius:0px;border:0px;width:24px;min-height:24px"></a><span style="text-align:initial"> </span><a href="http://github.com/certego" target="_blank" style="text-align:initial"><img width="24" height="24" src="http://www.certego.net/email/github.png" style="border-radius:0px;border:0px;width:24px;min-height:24px"></a><span style="text-align:initial"> </span><a href="http://www.youtube.com/CERTEGOsrl" target="_blank" style="text-align:initial"><img width="24" height="24" src="http://www.certego.net/email/youtube.png" style="border-radius:0px;border:0px;width:24px;min-height:24px"></a><span style="text-align:initial"> </span><a href="http://plus.google.com/117641917176532015312" target="_blank" style="text-align:initial"><img width="24" height="24" src="http://www.certego.net/email/googleplus.png" style="border-radius:0px;border:0px;width:24px;min-height:24px"></a><br></div></td></tr></tbody></table></td></tr></tbody></table><div style="width:420px;text-align:justify;vertical-align:top;padding:8px 0px;color:rgb(224,224,224);font-stretch:normal;font-size:8px;line-height:normal;font-family:sans-serif">Use of the information within this document constitutes acceptance for use in an "as is" condition. There are no warranties with regard to this information; Certego has verified the data as thoroughly as possible. Any use of this information lies within the user's responsibility. In no event shall Certego be liable for any consequences or damages, including direct, indirect, incidental, consequential, loss of business profits or special damages, arising out of or in connection with the use or spread of this information.</div></div></div></div></div></div>