[Oisf-users] Rotate unified2 log with live rules reload
Brian Hennigar
bhennigar at gmail.com
Mon Dec 7 14:30:54 UTC 2015
Is there anything I need to do to make this an official request or has it
already been done?
On Dec 6, 2015 3:33 PM, "Peter Manev" <petermanev at gmail.com> wrote:
> On Sun, Dec 6, 2015 at 6:25 PM, Jason Ish <lists at unx.ca> wrote:
> > On Fri, Dec 4, 2015 at 9:26 AM, Brian Hennigar <bhennigar at gmail.com>
> wrote:
> >> Hi!
> >> Is it possible to have suricata start writing to a new unified2 file
> with a
> >> USR2 signal is sent for a live reload of the rules? I'm not seeing a
> way to
> >> do this without fully restarting suricata. I'm not wanting to set a
> limit
> >> size on the unified2 files but wanting it to make a new one every few
> hours.
> >> Right now, I'm fully restarting suricata to get a new file created.
> >
> > There is no way to do that now, but I think something similar would
> > make a reasonable feature request:
> >
> > - Give the unified2 output a "nostamp" option like Snort.
> > - If nostamp is on, subject the unified2 output to HUP file rotation.
> >
> > Then you could do file rotation like you would done on other output
> > files like eve. Move the existing one out of the way, HUP Suricata to
> > start writing to a new file.
> >
>
> This would make a nice feature request indeed!
>
> > Jason
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> > List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > Suricata User Conference November 4 & 5 in Barcelona:
> http://oisfevents.net
>
>
>
> --
> Regards,
> Peter Manev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151207/3751d541/attachment-0002.html>
More information about the Oisf-users
mailing list