[Oisf-users] Rotated log files created, but logs go to rotated files

Peter Manev petermanev at gmail.com
Sun Jul 5 08:54:57 UTC 2015 

On Thu, Jul 2, 2015 at 2:04 PM, Jeremy MJ <jskier at gmail.com> wrote:
>>I do not think the size of the log file is the issue. I have a set up
>>that rotates 140GB-180GB eve log daily  - I have not experianced any
>>logrotate challenges so far. I think the problem might be somewhere
>>else.
>
> Correct, I looked into it and having the log files on a separate
> partition from logrotate was the issue. Once installed on the same
> partition it's fine. I was aware of this issue with logrotate, however
> my test box has grown into a bit of a complicated setup.
>
> I am now able to use logrotate with the eve logs just fine, rotating
> daily, several hundred megabytes worth.
>
> Thanks for all of your input - got me going in the right direction!
>

Thanks for the feedback.
Glad you managed to pin it down.


> --
> Jeremy MJ
>
>
> On Sun, Jun 28, 2015 at 5:04 AM, Peter Manev <petermanev at gmail.com> wrote:
>> On Fri, Jun 26, 2015 at 8:18 PM, Jeremy MJ <jskier at gmail.com> wrote:
>>>> Yes, this is a definite issue which I will address soon.
>>> Issue in and assigned to you. Marked as feature, as it's more for
>>> consistency than a bug.
>>>
>>>> As for rotation over 80MB?  My eve.log normally gets to 300MB or
>>>> so>
>>> before rotation by logrotate just fine. Anyways, if you are seeing an>
>>> issue with rotating large file sizes its more likely your logrotate>
>>> program than Suricata, as all Suricata does on HUP is close the>
>>> existing log file, then re-open it - appending if it already exists,>
>>> or creating a new file if it doesn't exist, so the size should not be>
>>> an issue.
>>>
>>> 80 MB is arbitrary and appears to work. The log files over 100 MB for
>>> me get rotated and suricata follows to the new logs.
>>
>> I do not think the size of the log file is the issue. I have a set up
>> that rotates 140GB-180GB eve log daily  - I have not experianced any
>> logrotate challenges so far. I think the problem might be somewhere
>> else.
>>
>>>
>>> There are a number of variables for the other issue. I am wild carding
>>> the .log files in logrotate, in a virtual environment with unique
>>> storage, version of logrotate (latest stable) used, to name a few.
>>>
>>> So, I'll hold off on putting that in as a suricata issue. I'll keep
>>> looking into changing the variables to see if I can pin it down
>>> further and place the issue with the appropriate project.
>>>
>>> Jeremy MJ
>>> jskier at gmail.com
>>>
>>> On 6/26/2015 12:50 PM, Jason Ish wrote:
>>>> On Fri, Jun 26, 2015 at 11:45 AM, Jeremy MJ <jskier at gmail.com>
>>>> wrote:
>>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>>>>>
>>>>> Went to ext4. Odd, I think it has to do with the size of the
>>>>> logs, because it will rotate on log rotate force when the files
>>>>> are smaller. I see no reason why a moderate size (80MB) rotation
>>>>> will work just fine.
>>>>>
>>>>> So, there are two issues, one: plain log output isn't working
>>>>> right at all (not part of the HUP), two: eve logs do not properly
>>>>> rotate over a certain size.
>>>>
>>>> Yes, this is a definite issue which I will address soon.
>>>>
>>>> As for rotation over 80MB?  My eve.log normally gets to 300MB or
>>>> so before rotation by logrotate just fine. Anyways, if you are
>>>> seeing an issue with rotating large file sizes its more likely your
>>>> logrotate program than Suricata, as all Suricata does on HUP is
>>>> close the existing log file, then re-open it - appending if it
>>>> already exists, or creating a new file if it doesn't exist, so the
>>>> size should not be an issue.
>>>>
>>>>> I will put in these issues shortly,
>>>>
>>>> Thanks, Jason
>>>>
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
>>
>>
>>
>> --
>> Regards,
>> Peter Manev



-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list