Logrotate - Logs not rotating

Hello Forum:

I have a perplexing problem with rotating logs but I’m sure there is a simple fix. Unfortunately, the simple fix has eluded me. Although there are similar postings that are similar to the issue I am experiencing, none of the postings are exactly the same.

Problem:
The eve(thread number).json (ie: eve.71.json) and other Suricata log files do not get rotated as expected (hourly or daily, depending on where I’ve placed ‘Logrotate’ ie, /etc/cron.daily or cron.hourly). If I perform (logrotate -f /etc/logrotate.d/surcata), the eve.json DOES rotate to a new filename (example: eve.json-20220101) but Suricata will continue updating the newly rotated log. The new eve.json file remains at zero bytes and never grows but the Suricata process continues to run… Thereafter, hourly or daily rotation continues to NOT function as expected.

Log file rotation of all other file system logs appear to be rotating as expected which makes me believe the problem is related to Suricata or possbly Napatech.

Any insights or suggestions to resolve this problem?
Thanks!

Background:
Suricata 6.0.4 was but built for support of Napatech SmartNic (12.7) on Ubuntu 20.04.3.

Contents of logrotate config (/etc/logrotate.d/suricata):

/opt/var/log/suricata/.log
/opt/var/log/suricata/.json
{
size 5M
rotate 24
missingok
compress
delaycompress
create
dateext
sharedscripts
postrotate
/bin/kill -HUP cat /usr/local/var/run/suricata.pid 2>/dev/null 2>/dev/null || true
endscript
}

No differences are observed with functionality no matter if the “Logrotate” script (built by the Ubuntu OS) is located in /etc/cron.daily or /etc/cron.hourly.

Suricata yaml file (pertinent statements)

default-log-dir: /opt/var/log/suricata/

• eve-log:
  enabled: yes
  filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
  #filename: eve-%Y-%m-%d-%H:%M.json
  filename: eve.json
  threaded: true

pid-file: /usr/local/var/run/suricata.pid

napatech:
streams: [“0-70”]

command line statement used to start suricata
suricata -vvvv -D --pidfile -c /usr/local/var/run/suricata.pid /usr/local/etc/suricata/suricata.yaml --napatech --runmode workers

This is for rsyslog…

Try adding this line right before the Suricata HUP in the logrotate conf

/bin/kill -HUP cat /var/run/syslogd.pid 2> /dev/null 2> /dev/null || true

Note in line above… there should be a Grave Accent character before
cat and after the first /dev/null but the site strips that info from
display

Greg

Also try running the HUP manually. Verify the contents of the PID file is the pid of Suricata, and send it a kill -HUP <PID> directly to see if it starts writing to the newly created files.

You can also drop the create from logrotate configuration. It could cause problems if running Suricata as a non-root user, and is not needed by Suricata.

Thank you @greg and @ish for the suggestions. I will implement and monitor.
Hopefully I report back with good news.

Reporting back here.
I have added -HUP cat /var/run/syslogd.pid 2> /dev/null 2> /dev/null || true per @greg suggestion and removed the create per @ish. This seems to have resolved the issue.
Logrotate is now working as expected.
Big Thanks!!