[Oisf-users] Rotate unified2 log with live rules reload
Jason Ish
lists at unx.ca
Sun Dec 6 17:25:43 UTC 2015
On Fri, Dec 4, 2015 at 9:26 AM, Brian Hennigar <bhennigar at gmail.com> wrote:
> Hi!
> Is it possible to have suricata start writing to a new unified2 file with a
> USR2 signal is sent for a live reload of the rules? I'm not seeing a way to
> do this without fully restarting suricata. I'm not wanting to set a limit
> size on the unified2 files but wanting it to make a new one every few hours.
> Right now, I'm fully restarting suricata to get a new file created.
There is no way to do that now, but I think something similar would
make a reasonable feature request:
- Give the unified2 output a "nostamp" option like Snort.
- If nostamp is on, subject the unified2 output to HUP file rotation.
Then you could do file rotation like you would done on other output
files like eve. Move the existing one out of the way, HUP Suricata to
start writing to a new file.
Jason
More information about the Oisf-users
mailing list