Support #1781
closedfast.log stops updating
Description
Numerous hours after starting my suricata service, my fast.log stops getting appended to without a crash of the service, and it will stay this way for hours until I do a manual service restart. I've attached some relevant information, but because it is timed ambiguously (anywhere between 7 and 24 hours after service start) it's hard for me to get a gdb debug, but I am working on that now. It's not core dumping and the service stays up, it's just that the fast.log stops getting appended to. If I look at stats.log, it continues to write updates, but all of the values are static until the instance is restarted.
The service is not entirely failing, which is somewhat more difficult to monitor, maintain, and debug, than if it would just crash and core dump. Some additional details are below, but I'd be more happy to gather more details as requested. I also idle in #suricata as jzeolla if it's easier to chat there and just put the results of any conversation in this thread.
Dell PowerEdge R730
- 12 cores * 2 processors w/HT (48 total)
- 192GB RAM
- 300GB usable disk space, with usage < 30%
Ubuntu 14.04.4 LTS, x86_64
- 3.13.0-85-generic
Suricata 3.0.1 RELEASE
- See attached "build-info.txt" for the output of `suricata --build-info`
- See attached "sanitized suricata.yaml" for the related suricata.yaml
- See attached "sanitized suricata.log" for a not-yet-crashed log file (as far as I can tell, when this issue hits, nothing is written to suricata.log until the service gets restarted).
Files