[Oisf-users] Rotated log files created, but logs go to rotated files

Tue Jun 23 14:09:56 UTC 2015

Thanks Oliver. I'm running as user suri, and pid file is in fact
accurate and references the PID of the current running suricata
process. Permissions for new logs are the same as old, chmod 660.

I tried a force with nocreate, and interestingly, some rotated
properly while others did not. Any eve-log sub outputs (alert, files,
stats) worked fine, whereas *-json.log sub outputs kept with the newly
rotated log file. The reason I do it this way is in order to get the
the outputs to be configured properly, those three needed eve-log
stanza.

Looks like copytruncate works fine, which makes sense. If I had to
guess, the *-json.log files aren't getting getting recreated whereas
the eve-log outputs are. So, perhaps if I specify every output as
eve-log to it's own file, this would work properly.

Someone asked for the output config, this is at the bottom.

logrotate conf I'm using:
{
        su suri suri
        daily
        missingok
        dateext
        dateformat _%m-%d-%Y
        rotate 7
        nocompress
        nocreate
        sharedscripts
        postrotate
                /bin/kill -HUP $(cat /home/suri/run/suri.pid)
        endscript
}

outputs:
  - dns-json-log:
      enabled: yes
      filename: dns-json.log
  - http-json-log:
      enabled: yes
      filename: http-json.log
      extended: yes
  - ssh-json-log:
      enabled: yes
      filename: ssh-json.log
  - tls-json-log:
      enabled: yes
      filename: tls-json.log
      extended: yes
  - flow-json-log:
      enabled: yes
      filename: flow-json.log
  - nflow-json-log:
      enabled: yes
      filename: nflow-json.log
  - eve-log:
      enabled: yes
      type: file
      filename: alert-json.log
      types:
        - alert:
                payload: yes
                payload-printable: yes
                packet: yes
                http: yes
                tls: yes
                ssh: yes
  - eve-log:
      enabled: yes
      type: file
      filename: stats-json.log
      types:
        - stats:
                totals: yes
                threads: yes
  - eve-log:
      enabled: yes
      type: file
      filename: files-json.log
      types:
        - files:
                force-magic: yes
                force-md5: yes

--
Jeremy MJ

On Tue, Jun 23, 2015 at 8:27 AM, Oliver Humpage <oliver at watershed.co.uk> wrote:
>
> On 23 Jun 2015, at 14:20, Jeremy MJ <jskier at gmail.com> wrote:
>
>> This may be a file system or logrotate issue, but I noticed that after
>> rotating last night at midnight, the new files were created and zero
>> length, and suricata was writing to the rotated log file.
>
> Sounds like the HUP isn't being sent to suricata - can you confirm that /var/run/suricata.pid exists and has the correct pid of your suricata process in it?
>
> Might be worth comparing the permissions on the old and new files as well, just to be sure.
>
> Oliver.
>