Issue with suricata and logrotate


We currently run suricata 4.1 on centos and we installed the released package on our hosts. We noticed the package comes with a logrotate config file in /etc/logrotate.d. But on centos the file looks like this:

# Sample /etc/logrotate.d/suricata configuration file. 
/var/log/suricata*.log /var/log/suricata*.json 
{ daily missingok rotate 5 compress delaycompress minsize 500k sharedscripts postrotate /bin/kill -HUP ` cat /var/run/ 2> /dev/null ` 2> /dev/null || true endscript }

Which seems to include an incorrect suricata log dir. I think a trailing / is missing. /var/log/suricata*.log should be /var/log/suricata/*.log

This looks like an issue with the Suricata package found in EPEL, but thanks for the notification, I’ll see about getting this fixed.

You can also use the RPMs that we provide which don’t have this issue:

Note that Suricata 4.1 is now EOL so you should consider upgrading. If you are on CentOS 7, we do provide Suricata 5.0 and 6.0 for that version, please see: