[Oisf-devel] Log output - syslog
Jason Ish
lists at unx.ca
Thu Feb 13 18:57:58 UTC 2014
On Thu, Feb 13, 2014 at 12:36 PM, Victor Julien <victor at inliniac.net> wrote:
> On 02/13/2014 07:33 PM, Jason Ish wrote:
>>>> I found the following forum where this was brought up awhile ago, did
>>>> >> anything ever come of it?
>>>> >>
>>>> >> http://comments.gmane.org/gmane.comp.security.ids.oisf.user/1358
>>> >
>>> > I don't think so. In irc we recently discussed the topic of log file
>>> > rotation. I think Jason Ish might be working on something there.
>> Yes, I've started implementing SIGHUP style rotation, so you can have
>> logrotate rename (instead of copy) the log files, then send a Suricata
>> a SIGHUP to re-open. I've implemented this the new eve log as well as
>> fast, I do plan to cover the rest as well.
>
> Does that mean Suricata will wait/sleep between the two SIGHUP's or did
> I misunderstand the method you use?
No sleeping. See https://github.com/inliniac/suricata/pull/829.
On SIGHUP, a flag is set on any registered loggers, if the flag is set
when the logger logs, the logger will close and re-open the log file
(truncating it if it still exists). This gets rid of that small
window where an event can be lost between copying the current file and
truncating it.
More information about the Oisf-devel
mailing list