I started logrotate like this but it doesn’t delete log files
- eve-log:
enabled: yes
filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
filename: eve-%Y-%m-%d-%H:%M:%S.json
rotate-interval: 60s
rotate-log-keep: 3
rotation-compression: gzip
filemode: 777
please help!!!
Suricata doesn’t delete the log files, these options are unknown to Suricata:
If you do need an aggressive rotation schedule like this, you will have to come up with some other means to delete the log files.
Hi,
I had issues with log rotation as well but it was not due to Suricata itself. I did not change its config from suricata.conf rather from logrotate profile. In my case it was running on RHEL, these are the notes I took during debugging.
I hope it helps:
A script usually present under /etc/logorotate.d/ is read daily by cron (on RHEL, on other distro this could be handled by systemd timers). You can assess this quickly by searching for cron scriptsor systemd timers:
# find /etc/cron* -name 'logrotate'
/etc/cron.daily/logrotate
# systemctl list-timers --all
NEXT LEFT LAST PASSED UNIT ACTIV>
[...]
Also, logrotate tracks logs’ status (timestamp of last rotation) under /var/lib/logrotate/logrotate.status file. This is the file that will be checked to confirm if rotation is needed.
Verify if the logrotate script runs as expected in debug mode (dry run - it won’t do any change):
logrotate -d /etc/logrotate.d/suricata
If it works, try rotating manually in verbose mode to confirm it works:
logrotate -v /etc/logrotate.d/suricata
Check if it actually rotated the logs ls -lh <path_logs>, if not, inspect logs:
3a. Check messages/journal to see if there are errors:
3b. Check audit logs to confirm selinux is not preventing it to work:
type=AVC msg=audit(1335727501.512:1389214): avc: denied { getattr } for pid=14262 comm="logrotate" path="/data/suricata/logs/suricata.log" dev=dm-0 ino=131206 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=file