[Oisf-users] Rotated log files created, but logs go to rotated files

Jeremy MJ jskier at gmail.com
Fri Jun 26 18:18:06 UTC 2015 

> Yes, this is a definite issue which I will address soon.
Issue in and assigned to you. Marked as feature, as it's more for
consistency than a bug.

> As for rotation over 80MB?  My eve.log normally gets to 300MB or
> so>
before rotation by logrotate just fine. Anyways, if you are seeing an>
issue with rotating large file sizes its more likely your logrotate>
program than Suricata, as all Suricata does on HUP is close the>
existing log file, then re-open it - appending if it already exists,>
or creating a new file if it doesn't exist, so the size should not be>
an issue.

80 MB is arbitrary and appears to work. The log files over 100 MB for
me get rotated and suricata follows to the new logs.

There are a number of variables for the other issue. I am wild carding
the .log files in logrotate, in a virtual environment with unique
storage, version of logrotate (latest stable) used, to name a few.

So, I'll hold off on putting that in as a suricata issue. I'll keep
looking into changing the variables to see if I can pin it down
further and place the issue with the appropriate project.

Jeremy MJ
jskier at gmail.com

On 6/26/2015 12:50 PM, Jason Ish wrote:
> On Fri, Jun 26, 2015 at 11:45 AM, Jeremy MJ <jskier at gmail.com>
> wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>> 
>> Went to ext4. Odd, I think it has to do with the size of the
>> logs, because it will rotate on log rotate force when the files
>> are smaller. I see no reason why a moderate size (80MB) rotation
>> will work just fine.
>> 
>> So, there are two issues, one: plain log output isn't working
>> right at all (not part of the HUP), two: eve logs do not properly
>> rotate over a certain size.
> 
> Yes, this is a definite issue which I will address soon.
> 
> As for rotation over 80MB?  My eve.log normally gets to 300MB or
> so before rotation by logrotate just fine. Anyways, if you are
> seeing an issue with rotating large file sizes its more likely your
> logrotate program than Suricata, as all Suricata does on HUP is
> close the existing log file, then re-open it - appending if it
> already exists, or creating a new file if it doesn't exist, so the
> size should not be an issue.
> 
>> I will put in these issues shortly,
> 
> Thanks, Jason
>

More information about the Oisf-users mailing list