Suricata alert.log deleted after 1 day


  • Banned

    Hello guys,

    I'm addressing this to anyone that are able to test for at least 2 or 3 days.

    The issue is that alert.log file from /var/log/suricata/suricata_igb(name of the interface) doesn't retain more than 1 or 2 days information about the alerts. The log is set to 10 Megs limit, and to autorotate at 7 days.

    The expected behaviour should be that when the log is full, the system should rename the current logfile by adding a timestamp extension to the filename and then opening up a new primary log file.

    Actual:

    The log is deleted and replaced with a new one. After the Cron job ends, all the previous alerts are gone.

    Maybe this happens when the Suricata is restarted on the interfaces after the Cron job?

    Please let me now if this happens to anyone else.

    It happens on Legacy and on Inline mode.

    I will attach a print screen.

    The only log that rotates is stats.log as I see on my rig.

    Please check the print screen below


  • Banned

    Hello again,

    I post this with another time period.

    Picture attached.

    After testing enough I can say for sure that any Suricata logs are deleted if the following steps are followed:

    1. Set a cron job, or an update job that will update the lists for Suricata that will trigger at least once a day.
    2. Verify what logs are present, and from which date in the /var/log/suricata/suricata_igb(name of the interface) before the job triggers
    3. Wait for the Cron job to trigger.

    Notice that the old logs are erased and new ones are created.

    Please also note that if a log reaches the maxim allowed size, it will be rotated, but after the CRON job triggers, the rotated logs will be deleted also.

    In the end the user will only have logs that contain ingormation between the Cron jobs ( only one day)

    @bmeeks I know we've discussed this, but can you confirm that this is a bug, and if so what is the procedure about reporting it?

    Thank you

    ![suricata 2.png](/public/imported_attachments/1/suricata 2.png)
    ![suricata 2.png_thumb](/public/imported_attachments/1/suricata 2.png_thumb)


  • Banned

    The only way that I could find to fix this, after serious testing, was to do a full reinstall, and restoring the backup configuration.

    The topic can be closed.