Suricata-update how to log failures?

Hello everyone i would like to know how i can log when suricata-update fails to do an update is there already something in place for this?

Just my 2 cents how I log this via a daily cron job:
01 5 * * * root date >> /var/log/suricata-update.log ; /home/suricata/ >> /var/log/suricata-update.log

And rotation:
cat /etc/logrotate.d/suricata-update
/var/log/suricata-update.log {
rotate 2
create 0660 root suricata

1 Like

Ah this is what i did as well i’m surprised suricata-update doesn’t have a logging tool by default ,cause I would like to log if the update failed to eve.json so I could then send it to opensearch.
Where can i request this feature?

I’m not sure if v7 or v8 have such a function, but have a look here for requests Overview - Suricata-Update - Open Information Security Foundation

suricata-update does exit with a non-zero exit code on failure. Typically with cron, this will cause an email to be sent.

I suppose you could redirect the output to a file and add -q. Only warnings and errors will be logged then, so that might be more useful to have your log tools pickup. By default, suricata-update is quite informational in its logging.

1 Like

Thank you will there be an option in the future to be able to log this to eve.json?
I think this would be useful to warn if the update was done correctly