Source: suricata Severity: important Tags: patch Dear Maintainer,
I noticed that suricata (here 3.1.2-2~bpo8+1) stops updating '/var/log/suricata/suricata.log' after performing a log rotation. I confirmed this by forcing a rotation using: # logrotate --force /etc/logrotate.d/suricata and then forcing some log output by reloading the rules: # killall -USR2 /usr/bin/suricata after which the file stayed at size 0. I assume that the new file created by logrorate's 'create' option is not reopened by suricata after unlinking the old file. The other files in '/var/log/suricata' are apparently not affected. This problem is fixed after applying the attached patch, which uses the 'copytruncate' option in logrotate instead of 'create'. IMHO this is the smallest impact fix for this issue, it might be worth looking at this in suricata itself to make the file handling consistent. Cheers Sascha
diff --git a/debian/suricata.logrotate b/debian/suricata.logrotate index 34abc6d..e318d1c 100644 --- a/debian/suricata.logrotate +++ b/debian/suricata.logrotate @@ -4,7 +4,7 @@ rotate 14 missingok compress - create + copytruncate sharedscripts postrotate /bin/kill -HUP $(cat /var/run/suricata.pid)
