Bug #3361
closedjson log files are not recreated if files are deleted
Description
If a file, say alert.json, is deleted and Suricata is not restarted the old file is still written to on disk.
This causes other programs that are looking for the file to fail, sometimes silently.
It is normal Linux behavior (Oracle Linux in this case) but it would be great if Suricata handled the file deletion and started writing a new file.
Even better if the file was recovered from after deletion time (dtime of inode).
Updated by Jason Ish over 5 years ago
Please check out the section in the manual about log file rotation:
https://suricata.readthedocs.io/en/suricata-5.0.0/output/log-rotation.html
If you remove one of the log files you have to tell Suricata that you did so. This is done with the SIGHUP signal. Alternatively you can just truncate the file:
:> /var/log/suricata/eve.json
the truncate command may work as well.
We are unlikely to have Suricata periodically check if the file has been removed due to performance considerations, but I may look into it. Even then, it wouldn't be a frequent check so you'd still want to SIGHUP to prevent events from being lost.
Updated by Philippe Antoine almost 2 years ago
- Status changed from New to Closed
Corey, is Jason's answer good for you ?