Bug #3361
closed
json log files are not recreated if files are deleted
Added by corey thomas over 5 years ago.
Updated almost 2 years ago.
Description
If a file, say alert.json, is deleted and Suricata is not restarted the old file is still written to on disk.
This causes other programs that are looking for the file to fail, sometimes silently.
It is normal Linux behavior (Oracle Linux in this case) but it would be great if Suricata handled the file deletion and started writing a new file.
Even better if the file was recovered from after deletion time (dtime of inode).
Please check out the section in the manual about log file rotation:
https://suricata.readthedocs.io/en/suricata-5.0.0/output/log-rotation.html
If you remove one of the log files you have to tell Suricata that you did so. This is done with the SIGHUP signal. Alternatively you can just truncate the file:
:> /var/log/suricata/eve.json
the
truncate command may work as well.
We are unlikely to have Suricata periodically check if the file has been removed due to performance considerations, but I may look into it. Even then, it wouldn't be a frequent check so you'd still want to SIGHUP to prevent events from being lost.
- Status changed from New to Closed
Corey, is Jason's answer good for you ?
Also available in: Atom
PDF