[Oisf-users] Rotated log files created, but logs go to rotated files

Jeremy MJ jskier at gmail.com
Thu Jul 2 12:04:57 UTC 2015 

>I do not think the size of the log file is the issue. I have a set up
>that rotates 140GB-180GB eve log daily  - I have not experianced any
>logrotate challenges so far. I think the problem might be somewhere
>else.

Correct, I looked into it and having the log files on a separate
partition from logrotate was the issue. Once installed on the same
partition it's fine. I was aware of this issue with logrotate, however
my test box has grown into a bit of a complicated setup.

I am now able to use logrotate with the eve logs just fine, rotating
daily, several hundred megabytes worth.

Thanks for all of your input - got me going in the right direction!

--
Jeremy MJ


On Sun, Jun 28, 2015 at 5:04 AM, Peter Manev <petermanev at gmail.com> wrote:
> On Fri, Jun 26, 2015 at 8:18 PM, Jeremy MJ <jskier at gmail.com> wrote:
>>> Yes, this is a definite issue which I will address soon.
>> Issue in and assigned to you. Marked as feature, as it's more for
>> consistency than a bug.
>>
>>> As for rotation over 80MB?  My eve.log normally gets to 300MB or
>>> so>
>> before rotation by logrotate just fine. Anyways, if you are seeing an>
>> issue with rotating large file sizes its more likely your logrotate>
>> program than Suricata, as all Suricata does on HUP is close the>
>> existing log file, then re-open it - appending if it already exists,>
>> or creating a new file if it doesn't exist, so the size should not be>
>> an issue.
>>
>> 80 MB is arbitrary and appears to work. The log files over 100 MB for
>> me get rotated and suricata follows to the new logs.
>
> I do not think the size of the log file is the issue. I have a set up
> that rotates 140GB-180GB eve log daily  - I have not experianced any
> logrotate challenges so far. I think the problem might be somewhere
> else.
>
>>
>> There are a number of variables for the other issue. I am wild carding
>> the .log files in logrotate, in a virtual environment with unique
>> storage, version of logrotate (latest stable) used, to name a few.
>>
>> So, I'll hold off on putting that in as a suricata issue. I'll keep
>> looking into changing the variables to see if I can pin it down
>> further and place the issue with the appropriate project.
>>
>> Jeremy MJ
>> jskier at gmail.com
>>
>> On 6/26/2015 12:50 PM, Jason Ish wrote:
>>> On Fri, Jun 26, 2015 at 11:45 AM, Jeremy MJ <jskier at gmail.com>
>>> wrote:
>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>>>>
>>>> Went to ext4. Odd, I think it has to do with the size of the
>>>> logs, because it will rotate on log rotate force when the files
>>>> are smaller. I see no reason why a moderate size (80MB) rotation
>>>> will work just fine.
>>>>
>>>> So, there are two issues, one: plain log output isn't working
>>>> right at all (not part of the HUP), two: eve logs do not properly
>>>> rotate over a certain size.
>>>
>>> Yes, this is a definite issue which I will address soon.
>>>
>>> As for rotation over 80MB?  My eve.log normally gets to 300MB or
>>> so before rotation by logrotate just fine. Anyways, if you are
>>> seeing an issue with rotating large file sizes its more likely your
>>> logrotate program than Suricata, as all Suricata does on HUP is
>>> close the existing log file, then re-open it - appending if it
>>> already exists, or creating a new file if it doesn't exist, so the
>>> size should not be an issue.
>>>
>>>> I will put in these issues shortly,
>>>
>>> Thanks, Jason
>>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
>
>
>
> --
> Regards,
> Peter Manev

More information about the Oisf-users mailing list