Hello everyone i would like to know how i can log when suricata-update fails to do an update is there already something in place for this?
Hi,
Just my 2 cents how I log this via a daily cron job:
01 5 * * * root date >> /var/log/suricata-update.log ; /home/suricata/rule-update.sh >> /var/log/suricata-update.log
And rotation:
cat /etc/logrotate.d/suricata-update
/var/log/suricata-update.log {
weekly
missingok
notifempty
sharedscripts
rotate 2
compress
create 0660 root suricata
}
1 Like
Ah this is what i did as well i’m surprised suricata-update doesn’t have a logging tool by default ,cause I would like to log if the update failed to eve.json so I could then send it to opensearch.
Where can i request this feature?
I’m not sure if v7 or v8 have such a function, but have a look here for requests Overview - Suricata-Update - Open Information Security Foundation
suricata-update does exit with a non-zero exit code on failure. Typically with cron, this will cause an email to be sent.
I suppose you could redirect the output to a file and add -q. Only warnings and errors will be logged then, so that might be more useful to have your log tools pickup. By default, suricata-update is quite informational in its logging.
1 Like
Thank you will there be an option in the future to be able to log this to eve.json?
I think this would be useful to warn if the update was done correctly