[Oisf-devel] http.log file rollover

Victor Julien victor at inliniac.net
Wed Sep 7 14:26:44 UTC 2011 

Sounds good Martin. Can you open a feature ticket?

On 09/07/2011 03:16 PM, Martin Holste wrote:
> One thing you could do would be to have Suricata write to a socket
> instead of a file.  Syslog-ng and rsyslog (default on most new
> Linuxes) will happily read from a socket, as will almost any program.
> That would decouple Suricata from having to worry about those details.
> 
> On Wed, Sep 7, 2011 at 5:34 AM, Victor Julien <victor at inliniac.net> wrote:
>> On 09/05/2011 04:04 PM, Brant Wells wrote:
>>> Hi All,
>>>
>>> Just a slight problem that I have noticed that when I logrotate the http.log
>>> file for Suricata, when the system creates the new file, Suricata no longer
>>> writes to the new, empty http.log file until I restart it.
>>>
>>> After forcing a logrotate, Suricata (or logrotate) didn't even create the
>>> empty http.log file.  Suricata continue to run normally, just without
>>> updating that log file.
>>>
>>> Not sure if this is a bug or what-not, but figured I should pass it along
>>> anyhow.
>>
>> I've seen this before in another project. It seems Suricata keeps
>> writing to the old file descriptor while the file is actually at a new
>> place (a new file was created by the rotate). I think most programs work
>> around this by sending a signal which reopens the file. Not sure if a
>> better solution exists.
>>
>>> Running from git: Suricata 1.1beta2 (rev 8855990) ...
>>>
>>> On another unrelated topic...  I have compiled with --enable-debug ...
>>>
>>> If suricata crashes or what-not, where can I find the core dump?
>>
>> You'll have to set a ulimit: ulimit -c unlimited and then it will dump
>> core to suricata's CWD, which is the dir you started it from normally.
>>
>> Still need to add that to the code/config to configure.
>>
>> Cheers,
>> Victor
>>
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>> _______________________________________________
>> Oisf-devel mailing list
>> Oisf-devel at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-devel mailing list