What does happen to Suricata when a log rotation is made?


I am now configuring a log rotation for Suricata logs. And I have seen that the logrotate example configuration for suricata runs this after a rotation:

/bin/kill -HUP `cat @e_rundir@suricata.pid 2> /dev/null` 2> /dev/null || true

I would like to understand what happens exactly to suricata when this runs. I have read that the kill -HUP sends a notification to the process that the terminal connection is lost and that it must restart itself.

But what does this mean in terms of Suricata? Does it restart the whole process?(I already know that not completely because of the time it takes to restart completely) Does it just restart the outputs files?Up to what point it is restarted? Does it stop sniffing for a moment? Do packages get stored in a buffer until restart?

So that’s it, if someone can explain me what does Suricata precisely do when receives the HUP signal, I would appreciate.


When SIGHUP is received by Suricata, it will mark all of the log files such that they’re closed an re-opened. Suricata doesn’t restart.

There’ll be no disruption of traffic processing.

SIGHUP should be sent after the logs are rotated – Suricata doesn’t rotate logs – to cause Suricata to close its filehandle and re-open – in essence, it’s recreating the file that was just rotated