Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata alert.log deleted after 1 day

    Scheduled Pinned Locked Moved IDS/IPS
    3 Posts 1 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      Redyr Banned
      last edited by

      Hello guys,

      I'm addressing this to anyone that are able to test for at least 2 or 3 days.

      The issue is that alert.log file from /var/log/suricata/suricata_igb(name of the interface) doesn't retain more than 1 or 2 days information about the alerts. The log is set to 10 Megs limit, and to autorotate at 7 days.

      The expected behaviour should be that when the log is full, the system should rename the current logfile by adding a timestamp extension to the filename and then opening up a new primary log file.

      Actual:

      The log is deleted and replaced with a new one. After the Cron job ends, all the previous alerts are gone.

      Maybe this happens when the Suricata is restarted on the interfaces after the Cron job?

      Please let me now if this happens to anyone else.

      It happens on Legacy and on Inline mode.

      I will attach a print screen.

      The only log that rotates is stats.log as I see on my rig.

      Please check the print screen below
      suricata.png_thumb
      suricata.png

      1 Reply Last reply Reply Quote 0
      • R
        Redyr Banned
        last edited by

        Hello again,

        I post this with another time period.

        Picture attached.

        After testing enough I can say for sure that any Suricata logs are deleted if the following steps are followed:

        1. Set a cron job, or an update job that will update the lists for Suricata that will trigger at least once a day.
        2. Verify what logs are present, and from which date in the /var/log/suricata/suricata_igb(name of the interface) before the job triggers
        3. Wait for the Cron job to trigger.

        Notice that the old logs are erased and new ones are created.

        Please also note that if a log reaches the maxim allowed size, it will be rotated, but after the CRON job triggers, the rotated logs will be deleted also.

        In the end the user will only have logs that contain ingormation between the Cron jobs ( only one day)

        @bmeeks I know we've discussed this, but can you confirm that this is a bug, and if so what is the procedure about reporting it?

        Thank you

        ![suricata 2.png](/public/imported_attachments/1/suricata 2.png)
        ![suricata 2.png_thumb](/public/imported_attachments/1/suricata 2.png_thumb)

        1 Reply Last reply Reply Quote 0
        • R
          Redyr Banned
          last edited by

          The only way that I could find to fix this, after serious testing, was to do a full reinstall, and restoring the backup configuration.

          The topic can be closed.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.