My log settings say weekly rotate keep 4, but logs dir /var/log/suricata seems to tell a different story. Am I looking at the wrong thing?
(https://i.postimg.cc/HLkh6GHT/ids-log-settings.png)
(https://i.postimg.cc/tg4MB0yp/suricata-logs.png)
more info needed
What more info is needed? What should I look at?
Logs are being rotated daily, settings say weekly.
More than 4 logs are saved, settings say save 4.
Quote from: BrandyWine on October 15, 2025, 09:23:52 PMWhat more info is needed? What should I look at?
Logs are being rotated daily, settings say weekly.
More than 4 logs are saved, settings say save 4.
gotta admit, i have mine set at 2 weekly, and i only have 2... i was about to say "that's 4 weeks of logs..." but i only have two files and 2 + weekly... not sure if either of our retention is matching the configured state
i did figure out how to enable manual rotation of an extra suricata log file i have created through the use of suricata's custom.yaml, and this file has stuck around through several upgrades
file name example:
/usr/local/etc/newsyslog.conf.d/suricataxff.conf:
content example:
# logfilename [owner:group] mode count size when flags [/pid_file] [sig_num]
/var/log/suricata/evexff.json root:wheel 640 1 500000 $W0D23 B /var/run/suricata.pid 1
Hi,
found this thread after creating mine.
Seems I have a similar issue. Suricata logs ignoring rotation settings – RAM disk filling up (https://forum.opnsense.org/index.php?topic=49573.0)
I set my save at 400, I dont know if it will actually delete any, but I dont want that
I dont know what it means by rotation, doesnt matter daily or weekly I get same result
My logs are auto rotated by size, I can get five a day
By rotated I mean a new file is started