Scribe scribe - syslog-ng and logrotate installer

[Milan]

I was only trying Suricata out because I was trying out Cake QOS. Turns out doesn't matter to me whether Trend Micro is running or Suricata. So I went with what I know.

how you enabled suricata log on gui ?

 

[elorimer]

how you enabled suricata log on gui ?

Do the opposite of removing it. Put the suricata log config file in /opt/etc/syslog-ng.d/, and then run uiScribe, option rf to rescan that directory.

 

[Milan]

Do the opposite of removing it. Put the suricata log config file in /opt/etc/syslog-ng.d/, and then run uiScribe, option rf to rescan that directory.

done, working now thx.

 

[XIII]

Logging in /opt/var/log/suricata.log goes back to July 6 (so about 20 days now), while I use this in scribe:

Spoiler: /opt/etc/syslog-ng.d/suricata

# Created by SNBForums user @ttgapers
# log all suricata logs to suricata.log

destination d_suricata {
    file("/opt/var/log/suricata.log");
};

filter f_suricata {
    program("S82suricata") or
    program("suricata");
};

log {
    source(src);
    filter(f_suricata);
    destination(d_suricata);
    flags(final);
};

#eof

Spoiler: /opt/etc/logrotate.d/suricata

/opt/var/log/suricata.log {
    minsize 1024k
    daily
    rotate 9
    postrotate
        /usr/bin/killall -HUP syslog-ng
    endscript
}

I was expecting to see the logging of at most 1 day. Is my expectation or my configuration wrong? How to fix this?

 

[Jack Yaz]

Logging in /opt/var/log/suricata.log goes back to July 6 (so about 20 days now), while I use this in scribe:

Spoiler: /opt/etc/syslog-ng.d/suricata

# Created by SNBForums user @ttgapers
# log all suricata logs to suricata.log

destination d_suricata {
    file("/opt/var/log/suricata.log");
};

filter f_suricata {
    program("S82suricata") or
    program("suricata");
};

log {
    source(src);
    filter(f_suricata);
    destination(d_suricata);
    flags(final);
};

#eof

Spoiler: /opt/etc/logrotate.d/suricata

/opt/var/log/suricata.log {
    minsize 1024k
    daily
    rotate 9
    postrotate
        /usr/bin/killall -HUP syslog-ng
    endscript
}

I was expecting to see the logging of at most 1 day. Is my expectation or my configuration wrong? How to fix this?

How big is the logfile? Minsize means it won't rotate until its at least 1mb big when logrotate runs

 

[XIII]

> du -k suricata.log
4056    suricata.log

So about 4 MB?

 

[L&LD]

Isn't that 4KB?

 

[XIII]

Isn't that 4KB?

No? (4056 KB, so almost 4 MB)

> du --help
...
        -m      Sizes in megabytes
        -k      Sizes in kilobytes (default)

and

> du -m suricata.log
4       suricata.log

 

[elorimer]

I was expecting to see the logging of at most 1 day. Is my expectation or my configuration wrong? How to fix this?

Run this:

/opt/sbin/logrotate /opt/etc/logrotate.conf -d

That will run logrotate in debug mode, which just prints messages about what logrotate would do, if it ran for real. It will tell you if the log is or is not rotating and why.

Also, you can look at /var/lib/logrotate.status to see when that log was last rotated. (Not sure why it is way over in that location, but there it will be.)

 

[XIII]

/opt/sbin/logrotate /opt/etc/logrotate.conf -d

rotating pattern: /opt/var/log/suricata.log  after 1 days (9 rotations)
empty log files are not rotated, only log files >= 1048576 bytes are rotated, log files >= 4194304 are rotated earlier, old logs are removed
considering log /opt/var/log/suricata.log
  Now: 2020-07-27 09:47
  Last rotated at 2020-07-26 15:00
  log needs rotating
rotating log /opt/var/log/suricata.log, log->rotateCount is 9
dateext suffix '-20200727'
glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'
compressing log with: /bin/gzip
glob finding old rotated logs failed
renaming /opt/var/log/suricata.log to /opt/var/log/suricata.log-20200727
creating new /opt/var/log/suricata.log mode = 0600 uid = 0 gid = 0
running postrotate script
running script with args /opt/var/log/suricata.log  (null): "
        /usr/bin/killall -HUP syslog-ng
"

Log is still 4162817 bytes afterwards...

 

[Jack Yaz]

rotating pattern: /opt/var/log/suricata.log  after 1 days (9 rotations)
empty log files are not rotated, only log files >= 1048576 bytes are rotated, log files >= 4194304 are rotated earlier, old logs are removed
considering log /opt/var/log/suricata.log
  Now: 2020-07-27 09:47
  Last rotated at 2020-07-26 15:00
  log needs rotating
rotating log /opt/var/log/suricata.log, log->rotateCount is 9
dateext suffix '-20200727'
glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'
compressing log with: /bin/gzip
glob finding old rotated logs failed
renaming /opt/var/log/suricata.log to /opt/var/log/suricata.log-20200727
creating new /opt/var/log/suricata.log mode = 0600 uid = 0 gid = 0
running postrotate script
running script with args /opt/var/log/suricata.log  (null): "
        /usr/bin/killall -HUP syslog-ng
"

Log is still 4162817 bytes afterwards...

What permissions does suricata.log have?

 

[XIII]

What permissions does suricata.log have?

> ls -l /opt/var/log/suricata.log
-rw------- 1 admin root 4162817 Jul 27 09:01 /opt/var/log/suricata.log

 

[elorimer]

Log is still 4162817 bytes afterwards...

That's because debug doesn't actually do anything. Still, the output looks to me like when it runs overnight, it will be (that is, should be) rotating the log. And the permissions are the same as mine (except, bad boy to be using admin as your login name).

Well, run logrotate with "--force". That will force rotation, and maybe give you some useful message.

 

[TonyK132]

I'm having several system problems that I found when I reinstalled Scribe. One problem is that portions of Scribe did not install because I have no room left on /jffs. Scribe seemed to install properly even with those error messages. This this the correct behavior for Scribe?

Another problem is creating space on /jffs. Turns out I had Traffic Analyzer enabled. I have now disabled it in the GUI. But there remains a 18MB TrafficAnalyzer.db file that I want to delete that will create space but when I try, I get an error message that it cannot be deleted because there is no room on /jffs. That seems counterintuitive but I guess it makes sense in Linux world. I googled this problem but for all the suggestions I found, none worked. Is there a failsafe way to delete that file?

Beyond that .db file, maybe there are other files that I do not need that are taking up space. Is there a way to find and delete those un-needed files?

 

[Butterfly Bones]

I'm having several system problems that I found when I reinstalled Scribe. One problem is that portions of Scribe did not install because I have no room left on /jffs. Scribe seemed to install properly even with those error messages. This this the correct behavior for Scribe?

Another problem is creating space on /jffs. Turns out I had Traffic Analyzer enabled. I have now disabled it in the GUI. But there remains a 18MB TrafficAnalyzer.db file that I want to delete that will create space but when I try, I get an error message that it cannot be deleted because there is no room on /jffs. That seems counterintuitive but I guess it makes sense in Linux world. I googled this problem but for all the suggestions I found, none worked. Is there a failsafe way to delete that file?

Beyond that .db file, maybe there are other files that I do not need that are taking up space. Is there a way to find and delete those un-needed files?

Here are the commands to purge the Traffic Analyzer file.
https://www.snbforums.com/threads/a...p-static-list-after-reboots.64884/post-597193

 

[TonyK132]

Here are the commands to purge the Traffic Analyzer file.
https://www.snbforums.com/threads/a...p-static-list-after-reboots.64884/post-597193

These commands did not work.

 

[XIII]

except, bad boy to be using admin as your login name

That’s not the real login name I use...

 

[TonyK132]

Update: I rebooted, then tried to do a delete from WinSCP and that worked. Then I reinstalled Scribe. Initially it hung when checking CRU but I cancelled out of it, restarted amtm, sent to reinstall Scribe again, than this time, it seemed to work. I was not sure if UIScribe was also installed or working so I reinstalled it. It all now seems to be working. When I go into System Log in the GUI it appears to be putting the info in the correct screens, so I think I'm good for now.

 

[Butterfly Bones]

These commands did not work.

Two posts below is another solution someone found.

 

[XIII]

Still, the output looks to me like when it runs overnight, it will be (that is, should be) rotating the log.

Today (2020-07-29) it seems to finally have rotated:

suricata.log
suricata.log-20200706.gz
suricata.log-20200729

The suricata.log file now only contains entries from today.

(I rebooted my router yesterday evening; would that have made a difference?)