Suricata - logrotate every week using cron.weekly

Hello everyone,

I have a question regarding logrotate. I have created a suricata_logorate file inside /etc/logrotate.d

/var/log/suricata/*.log /var/log/suricata/*.json
{
	weekly
	rotate 2
	maxage 14
	missingok
	create
	compress
        delaycompress
	minsize 500k
	dateformat .%Y-%m-%d
	sharedscripts
	postrotate
		/bin/kill -HUP `cat /var/run/suricata.pid 2>/dev/null` 2>/dev/null || true
	endscript

I would like to rotate my suricata logs weekly and delete them after 2 weeks as they are indexed with Splunk I do not need them anymore.

I see that logrotate is already set to run daily in cron.daily folder. How can change it for suricata to run every week?

Or will logrotate run daily, it will check logrotate.conf and /etc/logrotate.d/* and if it is set to “weekly/monthly” etc it will skip it?

Thank you in advance.

With kind regards,

Chris

You should also have a cron.weekly folder or you can set custom crontab settings.

@Andreas_Herz thanks for your answer. My cron.daily folder contains a logorate file with the following code:

#!/bin/sh

/usr/sbin/logrotate -s /var/lib/logrotate/logrotate.status /etc/logrotate.conf
EXITVALUE=$?
if [ $EXITVALUE != 0 ]; then
    /usr/bin/logger -t logrotate "ALERT exited abnormally with [$EXITVALUE]"
fi
exit 0

Will it work if I just copy this file to cron.daily?

Thanks in advance.

Regards,

Chris

If it works there it would work on the other as well, just running only on a different schedule