Bug #809
Updated by Victor Julien over 9 years ago
I've been working on routing suricata alerts to ELSA via rsyslog for aggregation an analysis. I recently began using USR2 to update the running ruleset immediately following and oinkmaster update. What I found was that alerts would be corrupted right after the USR2 signal. Example alerts: GOOD <pre> May 8 18:02:31 HOSTNAME snort[7905]: [1:20147:16] ET POLICY..... </pre> After USR2 (BAD) <pre> May 8 18:10:31 HOSTNAME ??M#001[8056]: 6]: [1:20147:0] ET POLICY... </pre> As you can see, after the USR2 signal is processed, the "identity" field in syslog is hosed as well as what appears to be an echo following the PID ("6]:") a few characters later. The identity is set to "snort" because ELSA requires it. Everything else seems fine. I have been able to replicate this repeatedly on several Ubuntu12.04 LTS hosts running suricata 1.4.1. I have since created a work-around for this by changing "suricata" to "snort" via syslog-ng on the ELSA system, but wanted to report the bug. Thanks!