[Oisf-users] Rotated log files created, but logs go to rotated files

Peter Manev petermanev at gmail.com
Sun Jun 28 10:04:08 UTC 2015 

On Fri, Jun 26, 2015 at 8:18 PM, Jeremy MJ <jskier at gmail.com> wrote:
>> Yes, this is a definite issue which I will address soon.
> Issue in and assigned to you. Marked as feature, as it's more for
> consistency than a bug.
>
>> As for rotation over 80MB?  My eve.log normally gets to 300MB or
>> so>
> before rotation by logrotate just fine. Anyways, if you are seeing an>
> issue with rotating large file sizes its more likely your logrotate>
> program than Suricata, as all Suricata does on HUP is close the>
> existing log file, then re-open it - appending if it already exists,>
> or creating a new file if it doesn't exist, so the size should not be>
> an issue.
>
> 80 MB is arbitrary and appears to work. The log files over 100 MB for
> me get rotated and suricata follows to the new logs.

I do not think the size of the log file is the issue. I have a set up
that rotates 140GB-180GB eve log daily  - I have not experianced any
logrotate challenges so far. I think the problem might be somewhere
else.

>
> There are a number of variables for the other issue. I am wild carding
> the .log files in logrotate, in a virtual environment with unique
> storage, version of logrotate (latest stable) used, to name a few.
>
> So, I'll hold off on putting that in as a suricata issue. I'll keep
> looking into changing the variables to see if I can pin it down
> further and place the issue with the appropriate project.
>
> Jeremy MJ
> jskier at gmail.com
>
> On 6/26/2015 12:50 PM, Jason Ish wrote:
>> On Fri, Jun 26, 2015 at 11:45 AM, Jeremy MJ <jskier at gmail.com>
>> wrote:
>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>>>
>>> Went to ext4. Odd, I think it has to do with the size of the
>>> logs, because it will rotate on log rotate force when the files
>>> are smaller. I see no reason why a moderate size (80MB) rotation
>>> will work just fine.
>>>
>>> So, there are two issues, one: plain log output isn't working
>>> right at all (not part of the HUP), two: eve logs do not properly
>>> rotate over a certain size.
>>
>> Yes, this is a definite issue which I will address soon.
>>
>> As for rotation over 80MB?  My eve.log normally gets to 300MB or
>> so before rotation by logrotate just fine. Anyways, if you are
>> seeing an issue with rotating large file sizes its more likely your
>> logrotate program than Suricata, as all Suricata does on HUP is
>> close the existing log file, then re-open it - appending if it
>> already exists, or creating a new file if it doesn't exist, so the
>> size should not be an issue.
>>
>>> I will put in these issues shortly,
>>
>> Thanks, Jason
>>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net



-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list