[Oisf-users] Rotated log files created, but logs go to rotated files

Jeremy MJ jskier at gmail.com
Tue Jun 23 15:14:12 UTC 2015


Okay, confirmed eve-log outputs appear to rotate fine, so switched
over to only those for now. Below is the current suri config I'm
testing. If an issue needs to be entered, please let me know- not sure
which direction the output log files are going. It's great that there
are options, but it feels somewhat duplicative (and more work for
devs) to have two means of outputting the same json event types IMO.

  - eve-log:
      enabled: yes
      type: file
      filename: alerts-json.log
      types:
        - alert:
                payload: yes
                payload-printable: yes
                packet: yes
                http: yes
                tls: yes
                ssh: yes
  - eve-log:
      enabled: yes
      type: file
      filename: stats-json.log
      types:
        - stats:
                totals: yes
                threads: yes
  - eve-log:
      enabled: yes
      type: file
      filename: files-json.log
      types:
        - files:
                force-magic: yes
                force-md5: yes
  - eve-log:
      enabled: yes
      type: file
      filename: http-json.log
      types:
        - http:
                extended: yes
  - eve-log:
      enabled: yes
      type: file
      filename: dns-json.log
      types:
        - dns:
                extended: yes
  - eve-log:
      enabled: yes
      type: file
      filename: ssh-tls-json.log
      types:
        - ssh
    - tls:
                extended: yes
  - eve-log:
      enabled: yes
      type: file
      filename: flows-json.log
      types:
        - flow
        - netflow

--
Jeremy MJ


On Tue, Jun 23, 2015 at 9:09 AM, Jeremy MJ <jskier at gmail.com> wrote:
> Thanks Oliver. I'm running as user suri, and pid file is in fact
> accurate and references the PID of the current running suricata
> process. Permissions for new logs are the same as old, chmod 660.
>
> I tried a force with nocreate, and interestingly, some rotated
> properly while others did not. Any eve-log sub outputs (alert, files,
> stats) worked fine, whereas *-json.log sub outputs kept with the newly
> rotated log file. The reason I do it this way is in order to get the
> the outputs to be configured properly, those three needed eve-log
> stanza.
>
> Looks like copytruncate works fine, which makes sense. If I had to
> guess, the *-json.log files aren't getting getting recreated whereas
> the eve-log outputs are. So, perhaps if I specify every output as
> eve-log to it's own file, this would work properly.
>
> Someone asked for the output config, this is at the bottom.
>
> logrotate conf I'm using:
> {
>         su suri suri
>         daily
>         missingok
>         dateext
>         dateformat _%m-%d-%Y
>         rotate 7
>         nocompress
>         nocreate
>         sharedscripts
>         postrotate
>                 /bin/kill -HUP $(cat /home/suri/run/suri.pid)
>         endscript
> }
>
>
> outputs:
>   - dns-json-log:
>       enabled: yes
>       filename: dns-json.log
>   - http-json-log:
>       enabled: yes
>       filename: http-json.log
>       extended: yes
>   - ssh-json-log:
>       enabled: yes
>       filename: ssh-json.log
>   - tls-json-log:
>       enabled: yes
>       filename: tls-json.log
>       extended: yes
>   - flow-json-log:
>       enabled: yes
>       filename: flow-json.log
>   - nflow-json-log:
>       enabled: yes
>       filename: nflow-json.log
>   - eve-log:
>       enabled: yes
>       type: file
>       filename: alert-json.log
>       types:
>         - alert:
>                 payload: yes
>                 payload-printable: yes
>                 packet: yes
>                 http: yes
>                 tls: yes
>                 ssh: yes
>   - eve-log:
>       enabled: yes
>       type: file
>       filename: stats-json.log
>       types:
>         - stats:
>                 totals: yes
>                 threads: yes
>   - eve-log:
>       enabled: yes
>       type: file
>       filename: files-json.log
>       types:
>         - files:
>                 force-magic: yes
>                 force-md5: yes
>
> --
> Jeremy MJ
>
>
> On Tue, Jun 23, 2015 at 8:27 AM, Oliver Humpage <oliver at watershed.co.uk> wrote:
>>
>> On 23 Jun 2015, at 14:20, Jeremy MJ <jskier at gmail.com> wrote:
>>
>>> This may be a file system or logrotate issue, but I noticed that after
>>> rotating last night at midnight, the new files were created and zero
>>> length, and suricata was writing to the rotated log file.
>>
>> Sounds like the HUP isn't being sent to suricata - can you confirm that /var/run/suricata.pid exists and has the correct pid of your suricata process in it?
>>
>> Might be worth comparing the permissions on the old and new files as well, just to be sure.
>>
>> Oliver.
>>



More information about the Oisf-users mailing list