[Oisf-users] Rotated log files created, but logs go to rotated files

Jeremy MJ jskier at gmail.com
Fri Jun 26 17:45:13 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Went to ext4. Odd, I think it has to do with the size of the logs,
because it will rotate on log rotate force when the files are smaller.
I see no reason why a moderate size (80MB) rotation will work just fine.

So, there are two issues, one: plain log output isn't working right at
all (not part of the HUP), two: eve logs do not properly rotate over a
certain size.

I will put in these issues shortly,

Jeremy MJ
jskier at gmail.com

On 6/23/2015 11:29 AM, Jason Ish wrote:
> On Tue, Jun 23, 2015 at 10:19 AM, Oliver Humpage
> <oliver at watershed.co.uk> wrote:
>> 
>> On 23 Jun 2015, at 16:14, Jeremy MJ <jskier at gmail.com> wrote:
>> 
>>> Okay, confirmed eve-log outputs appear to rotate fine, so
>>> switched over to only those for now. Below is the current suri
>>> config I'm testing.
>> 
>> I found a very similar thing when I forgot to HUP suricata.
>> 
>> I'm just wondering, perhaps su-ing to suri/suri means it's not
>> HUPping the process for some reason.
>> 
>> If you run the HUP postrotate line manually as root after doing a
>> logrotate (you'll have to put the "create" line back in), does it
>> start writing to the new files      ?
>> 
> 
> So it looks like JSON output configured with <name>-json-log are
> not hooked into the rotation system, where as the eve-log output
> is.  So one solution is to use multiple eve-log configurations with
> just the output you want and its filename.
> 
> Jeremy: Would you like to create a ticket for this, including a 
> portion from your suricata.yaml?
> 
> Thanks, Jason
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJVjY+pAAoJEHGQC3MO+Cp5HNgH/jALeWUSD5GIkW4z18xQqXe/
xL9SeSfYkCDcyUrOFdznqhBWLpmR/ckFTT6AZBZkhMi1nrR0rsWFNysQsErwm1tj
opcbWsa97X+q+wZKB5ysbca85XFfIsWdDu1RxSKilZt4OZcsgRnqlI/iWjLpx4B4
Meg2EBdIKxDdwF+4gS9rACryPBAn086GHHrOL2plz0F9uAoWQlmE4gtuzwDUU7Ve
FX6sIEJKl4XaMg6RBs3ZQMoGix+V83V64S0SdGtGx/q/+NBiLB4SH8JXaJczWFM/
VrSwnXKK1EwlQfoy/OxqMTSWDWgFfebZH8weybhWkl7HS8Tzp1s1le4gYrxjzl0=
=+Izi
-----END PGP SIGNATURE-----

More information about the Oisf-users mailing list