What does happen to Suricata when a log rotation is made?

mikel95 · July 14, 2023, 10:12am

Hello,

I am now configuring a log rotation for Suricata logs. And I have seen that the logrotate example configuration for suricata runs this after a rotation:

/bin/kill -HUP `cat @e_rundir@suricata.pid 2> /dev/null` 2> /dev/null || true

I would like to understand what happens exactly to suricata when this runs. I have read that the kill -HUP sends a notification to the process that the terminal connection is lost and that it must restart itself.

But what does this mean in terms of Suricata? Does it restart the whole process?(I already know that not completely because of the time it takes to restart completely) Does it just restart the outputs files?Up to what point it is restarted? Does it stop sniffing for a moment? Do packages get stored in a buffer until restart?

So that’s it, if someone can explain me what does Suricata precisely do when receives the HUP signal, I would appreciate.

Thanks

Jeff_Lucovsky · July 14, 2023, 2:14pm

When SIGHUP is received by Suricata, it will mark all of the log files such that they’re closed an re-opened. Suricata doesn’t restart.

There’ll be no disruption of traffic processing.

SIGHUP should be sent after the logs are rotated – Suricata doesn’t rotate logs – to cause Suricata to close its filehandle and re-open – in essence, it’s recreating the file that was just rotated

Topic		Replies	Views
Sending a SIGHUP while Suricata is Processing a PCAP Causes Suricata to crash Help	2	217	September 17, 2023
Confusing log rotation problem of timestamp Help	1	561	January 26, 2022
Suricata6.0.9 CANNOT Recevie HUP Signal and CANNOT Reload Help suricata	8	298	August 2, 2023
Suricata communication state reset when analyzing files Help	5	469	February 27, 2021
Use suricata to replay pcap file without any output Help	4	559	August 4, 2021

What does happen to Suricata when a log rotation is made?

Related Topics