Suricata Log Settings Seem Off

Started by BrandyWine, October 09, 2025, 06:04:22 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 09, 2025, 06:04:22 AM
My log settings say weekly rotate keep 4, but logs dir /var/log/suricata seems to tell a different story. Am I looking at the wrong thing?


Mini-pc N150 i226v x520, FREEDOM
October 15, 2025, 02:52:37 AM #1
more info needed
October 15, 2025, 09:23:52 PM #2
What more info is needed? What should I look at?

Logs are being rotated daily, settings say weekly.
More than 4 logs are saved, settings say save 4.
Mini-pc N150 i226v x520, FREEDOM
October 24, 2025, 11:13:27 PM #3 Last Edit: October 24, 2025, 11:15:50 PM by jonny5
Quote from: BrandyWine on October 15, 2025, 09:23:52 PMWhat more info is needed? What should I look at?

Logs are being rotated daily, settings say weekly.
More than 4 logs are saved, settings say save 4.

gotta admit, i have mine set at 2 weekly, and i only have 2... i was about to say "that's 4 weeks of logs..." but i only have two files and 2 + weekly... not sure if either of our retention is matching the configured state

i did figure out how to enable manual rotation of an extra suricata log file i have created through the use of suricata's custom.yaml, and this file has stuck around through several upgrades

file name example:
/usr/local/etc/newsyslog.conf.d/suricataxff.conf:

content example:
# logfilename [owner:group] mode count size when flags [/pid_file] [sig_num]
/var/log/suricata/evexff.json      root:wheel      640     1       500000  $W0D23  B       /var/run/suricata.pid   1
Custom: ASRock 970 Extreme3 R2.0 / AMD FX-8320E / 32 GB DDR3 1866 / X520 & I350 / 500GB SATA
Print
Go Up Pages1
User actions