Logrotate Does not work

I started logrotate like this but it doesn’t delete log files

  - eve-log:
      enabled: yes
      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
      filename: eve-%Y-%m-%d-%H:%M:%S.json
      rotate-interval: 60s
      rotate-log-keep: 3
      rotation-compression: gzip
      filemode: 777

please help!!!

Suricata doesn’t delete the log files, these options are unknown to Suricata:

  • rotate-log-keep
  • rotation-compression

If you do need an aggressive rotation schedule like this, you will have to come up with some other means to delete the log files.


I had issues with log rotation as well but it was not due to Suricata itself. I did not change its config from suricata.conf rather from logrotate profile. In my case it was running on RHEL, these are the notes I took during debugging.

I hope it helps:

How logorotate works

A script usually present under /etc/logorotate.d/ is read daily by cron (on RHEL, on other distro this could be handled by systemd timers). You can assess this quickly by searching for cron scriptsor systemd timers:

# find /etc/cron* -name 'logrotate'

# systemctl list-timers --all
NEXT                         LEFT          LAST                         PASSED    UNIT                         ACTIV>

Also, logrotate tracks logs’ status (timestamp of last rotation) under /var/lib/logrotate/logrotate.status file. This is the file that will be checked to confirm if rotation is needed.

Troubleshooting steps - focused on cron setup

  1. Verify if the logrotate script runs as expected in debug mode (dry run - it won’t do any change):
    logrotate -d /etc/logrotate.d/suricata

  2. If it works, try rotating manually in verbose mode to confirm it works:
    logrotate -v /etc/logrotate.d/suricata

  3. Check if it actually rotated the logs ls -lh <path_logs>, if not, inspect logs:

    3a. Check messages/journal to see if there are errors:
    3b. Check audit logs to confirm selinux is not preventing it to work:

    type=AVC msg=audit(1335727501.512:1389214): avc:  denied  { getattr } for  pid=14262 comm="logrotate" path="/data/suricata/logs/suricata.log" dev=dm-0 ino=131206 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=file

Common issues: