[Oisf-users] Any solution about rotating suricata logs?

Edward Fjellskål edwardfjellskaal at gmail.com
Tue Nov 29 10:08:50 UTC 2011

On 11/29/2011 09:58 AM, carlopmart wrote:
> Hi all,
>    Due to a lot information stored under http.log, I need to run logrotate
> on it. Searching mailing list about this particular, I see this:
> http://lists.openinfosecfoundation.org/pipermail/oisf-devel/2011-September/000726.html
>    Exists any "clean" solution to do this??
> ---
> CL Martinez
> carlopmart {at} gmail {d0t} com
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

/logrotete + copytruncate/ ?

basically it does something like:
cp http.log http.log.1 && > http.log

If you gzip the files, you should get about 80-90% reduction. in size.
and if you use zgrep to grep for stuff in the gziped log files, it can 
actually be faster
than using grep on the uncompressed files.

My tests here now:
http.log      = 1.3 GB
http.log.gz =  174 MB

time grep google http.log > /dev/null
real 0m23.604s

time zgrep google http.log.gz > dev/null
real 0m8.332s


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20111129/189f5d3e/attachment-0002.html>

More information about the Oisf-users mailing list