How to configure rotate log?

Help
1

Hello,
The Suricata-IDS log files filled the “/” of my system as below:

# df
Filesystem          1K-blocks     Used Available Use% Mounted on
devtmpfs              1916804        0   1916804   0% /dev
tmpfs                 1933928        0   1933928   0% /dev/shm
tmpfs                 1933928   186468   1747460  10% /run
tmpfs                 1933928        0   1933928   0% /sys/fs/cgroup
/dev/mapper/cl-root  52403200 52403180        20 100% /
/dev/mapper/cl-home  27605844   979928  26625916   4% /home
/dev/sda2              999320   222912    707596  24% /boot
/dev/sda1              613184     7024    606160   2% /boot/efi
tmpfs                  386784        0    386784   0% /run/user/1000
#
# du -h /var/log
0	/var/log/private
0	/var/log/grafana
0	/var/log/samba/old
0	/var/log/samba
76K	/var/log/pcp/pmcd
64K	/var/log/pcp/pmie/localhost.localdomain
8.0K	/var/log/pcp/pmie/example.com
8.0K	/var/log/pcp/pmie/example
88K	/var/log/pcp/pmie
1.1G	/var/log/pcp/pmlogger/localhost.localdomain
0	/var/log/pcp/pmlogger/example.com
873M	/var/log/pcp/pmlogger/example
2.0G	/var/log/pcp/pmlogger
0	/var/log/pcp/pmproxy
0	/var/log/pcp/pmmgr
8.5M	/var/log/pcp/sa
2.0G	/var/log/pcp
0	/var/log/audit
9.4M	/var/log/sa
31M	/var/log/httpd
0	/var/log/pluto/peer
0	/var/log/pluto
28K	/var/log/sssd
24K	/var/log/tuned
0	/var/log/chrony
4.2M	/var/log/anaconda
48K	/var/log/rhsm
64K	/var/log/mariadb
204K	/var/log/php-fpm
2.7M	/var/log/letsencrypt
38G	/var/log/suricata
43G	/var/log

Has Suricata-IDS any option about rotate log or I must configure Linux “logrotate.conf” file?

Thank you.

2

Hi,

Suricata provides a logrotation script that may be used – see 15.6. Log Rotation — Suricata 6.0.0 documentation

1 Like
3

Thank you.
Should I add below lines to the “logrotate.conf” file?

/var/log/suricata/*.log /var/log/suricata/*.json
{
    rotate 3
    missingok
    nocompress
    create
    sharedscripts
    postrotate
            /bin/kill -HUP `cat /var/run/suricata.pid 2>/dev/null` 2>/dev/null || true
    endscript
}
4

I recommend adding a separate physical drive for storing log files from apps that generate large amounts of data, like Suricata. It prevents unhappy events like yours from breaking the OS. The location of Suricata’s log file is defined in its YAML file.

I note that your rotation does not compress the data, or give a maximum size limit for the logs files to trigger rotation. Shown below is what I use. I do not care much about fast.log which is why it is separate. The other rule allows about a week of history; you may need more.

#
compress
compresscmd /usr/bin/xz
#
/data01/var/log/suricata/fast.log {
    dateext
    maxage 3
    rotate 1
    size=500k
    create
    notifempty
    missingok
    postrotate
        chmod 644 /data01/var/log/suricata/*.log
    endscript
}
#
/data01/var/log/suricata/alert-debug.log /data01/var/log/suricata/suricata.log /data01/var/log/suricata/eve.log.json /data01/var/log/suricata/stats.log {
   dateext
    maxage 50
    rotate 6
    size=2M
    create
    notifempty
    missingok
    postrotate
	     chmod 644 /data01/var/log/suricata/*.log
    endscript
}
5

The recommended way would be to add it in the configuration directory used by logrotate – this is usually (but not always) /etc/logrotate.d