[Oisf-devel] http.log file rollover

Martin Holste mcholste at gmail.com
Wed Sep 7 13:16:53 UTC 2011


One thing you could do would be to have Suricata write to a socket
instead of a file.  Syslog-ng and rsyslog (default on most new
Linuxes) will happily read from a socket, as will almost any program.
That would decouple Suricata from having to worry about those details.

On Wed, Sep 7, 2011 at 5:34 AM, Victor Julien <victor at inliniac.net> wrote:
> On 09/05/2011 04:04 PM, Brant Wells wrote:
>> Hi All,
>>
>> Just a slight problem that I have noticed that when I logrotate the http.log
>> file for Suricata, when the system creates the new file, Suricata no longer
>> writes to the new, empty http.log file until I restart it.
>>
>> After forcing a logrotate, Suricata (or logrotate) didn't even create the
>> empty http.log file.  Suricata continue to run normally, just without
>> updating that log file.
>>
>> Not sure if this is a bug or what-not, but figured I should pass it along
>> anyhow.
>
> I've seen this before in another project. It seems Suricata keeps
> writing to the old file descriptor while the file is actually at a new
> place (a new file was created by the rotate). I think most programs work
> around this by sending a signal which reopens the file. Not sure if a
> better solution exists.
>
>> Running from git: Suricata 1.1beta2 (rev 8855990) ...
>>
>> On another unrelated topic...  I have compiled with --enable-debug ...
>>
>> If suricata crashes or what-not, where can I find the core dump?
>
> You'll have to set a ulimit: ulimit -c unlimited and then it will dump
> core to suricata's CWD, which is the dir you started it from normally.
>
> Still need to add that to the code/config to configure.
>
> Cheers,
> Victor
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>



More information about the Oisf-devel mailing list