How does suricata react when logs files directory reaches max size?

KAMALKUMARM · August 8, 2024, 2:38pm

@Team,
/var/log/suricata/ : suricata log directory.
I have created a mount point /mnt/suricata/ and binded /var/log/suricata/ to it.
Mount point size is 2MB.
Tried running suricata with different logs enabled, mount point reached max size 2MB and couldn’t see any message from suricata reg size.
I am basically trying to check how does suricata react in this situation.

Andreas_Herz · August 8, 2024, 2:42pm

How did you mount that, with what type of filesystem?
Why do you limit it to 2MB, that’s nearly nothing for logs.
Please provide more details about your setup and what you want to achieve

KAMALKUMARM · August 8, 2024, 3:36pm

@Andreas_Herz ,

How did you mount that, with what type of filesystem?
Kindly find the steps used to mount, file system is ext4:

Create a 1GB disk image

dd if=/dev/zero of=/mnt/suricata.img bs=1M count=2

Format the disk image

mkfs.ext4 /mnt/suricata.img

Create a mount point

mkdir /mnt/suricata

Mount the disk image

mount -o loop /mnt/suricata.img /mnt/suricata

Move existing files (if any) from /var/log/suricata/ to the new mount point

mv /var/log/suricata/* /mnt/suricata/

Bind mount the new mount point to the original directory

mount --bind /mnt/suricata /var/log/suricata

Verify the mounts

mount | grep suricata

Why do you limit it to 2MB ?
we have memory constraints so, need to limit the directory size.
I just tried to limit it to 2MB to check how suricata reacts if it reaches max size.

Andreas_Herz · August 8, 2024, 3:44pm

Why do you mount it as loop instead of a normal ext4 filesystem?

You should add log rotation to the folder or otherwise Suricata won’t be able to write logfiles to that location at one point, especially if you add the suricata.log there as well.

KAMALKUMARM · August 8, 2024, 4:09pm

@Andreas_Herz , I will take care of file system,
but actually point is how does suricata react if /var/log/suricata directory reaches its max size based on mount point ?
Kindly let me know.

Andreas_Herz · August 8, 2024, 4:11pm

As I said, unless you set up a log rotation it won’t be able to write logfiles to that location anymore

KAMALKUMARM · August 8, 2024, 4:16pm

Able to see below log, but not immediately as max size is reached. will try again.
Error: logopenfile: No space left on device error while writing to /var/log/suricata//stats.log

I will try with log rotation as well. Thank you @Andreas_Herz

Topic		Replies	Views
How to set a size limit to the eve.log file? Help	3	1634	January 29, 2023
Somethin is wrong with suricata Help	13	1177	October 8, 2021
Is there a way to inform suricata to use only certain amount memory for logs? Help suricata	5	25	November 7, 2024
Tail: cannot open ‘/var/log/suricata/suricata.log’ for reading: No such file or directory Help centos , suricata	3	1080	November 8, 2022
Suricata crashes when suricata.yaml setting max-file to 1 in pcap-log config Help suricata	4	333	September 13, 2023