how you enabled suricata log on gui ?
Scribe scribe - syslog-ng and logrotate installer
- Thread starter cmkelley
- Start date
Do the opposite of removing it. Put the suricata log config file in /opt/etc/syslog-ng.d/, and then run uiScribe, option rf to rescan that directory.
done, working now thx.
XIII
Very Senior Member
Logging in /opt/var/log/suricata.log goes back to July 6 (so about 20 days now), while I use this in scribe:
I was expecting to see the logging of at most 1 day. Is my expectation or my configuration wrong? How to fix this?
Code:
# Created by SNBForums user @ttgapers
# log all suricata logs to suricata.log
destination d_suricata {
file("/opt/var/log/suricata.log");
};
filter f_suricata {
program("S82suricata") or
program("suricata");
};
log {
source(src);
filter(f_suricata);
destination(d_suricata);
flags(final);
};
#eof
Code:
/opt/var/log/suricata.log {
minsize 1024k
daily
rotate 9
postrotate
/usr/bin/killall -HUP syslog-ng
endscript
}I was expecting to see the logging of at most 1 day. Is my expectation or my configuration wrong? How to fix this?
Jack Yaz
Part of the Furniture
How big is the logfile? Minsize means it won't rotate until its at least 1mb big when logrotate runs
XIII
Very Senior Member
No? (4056 KB, so almost 4 MB)
Code:
> du --help
...
-m Sizes in megabytes
-k Sizes in kilobytes (default)and
Code:
> du -m suricata.log
4 suricata.logRun this:
Code:
/opt/sbin/logrotate /opt/etc/logrotate.conf -dAlso, you can look at /var/lib/logrotate.status to see when that log was last rotated. (Not sure why it is way over in that location, but there it will be.)
XIII
Very Senior Member
Code:
rotating pattern: /opt/var/log/suricata.log after 1 days (9 rotations)
empty log files are not rotated, only log files >= 1048576 bytes are rotated, log files >= 4194304 are rotated earlier, old logs are removed
considering log /opt/var/log/suricata.log
Now: 2020-07-27 09:47
Last rotated at 2020-07-26 15:00
log needs rotating
rotating log /opt/var/log/suricata.log, log->rotateCount is 9
dateext suffix '-20200727'
glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'
compressing log with: /bin/gzip
glob finding old rotated logs failed
renaming /opt/var/log/suricata.log to /opt/var/log/suricata.log-20200727
creating new /opt/var/log/suricata.log mode = 0600 uid = 0 gid = 0
running postrotate script
running script with args /opt/var/log/suricata.log (null): "
/usr/bin/killall -HUP syslog-ng
"Log is still 4162817 bytes afterwards...
Jack Yaz
Part of the Furniture
What permissions does suricata.log have?
XIII
Very Senior Member
Code:
> ls -l /opt/var/log/suricata.log
-rw------- 1 admin root 4162817 Jul 27 09:01 /opt/var/log/suricata.logThat's because debug doesn't actually do anything. Still, the output looks to me like when it runs overnight, it will be (that is, should be) rotating the log. And the permissions are the same as mine (except, bad boy to be using admin as your login name).
Well, run logrotate with "--force". That will force rotation, and maybe give you some useful message.
I'm having several system problems that I found when I reinstalled Scribe. One problem is that portions of Scribe did not install because I have no room left on /jffs. Scribe seemed to install properly even with those error messages. This this the correct behavior for Scribe?
Another problem is creating space on /jffs. Turns out I had Traffic Analyzer enabled. I have now disabled it in the GUI. But there remains a 18MB TrafficAnalyzer.db file that I want to delete that will create space but when I try, I get an error message that it cannot be deleted because there is no room on /jffs. That seems counterintuitive but I guess it makes sense in Linux world. I googled this problem but for all the suggestions I found, none worked. Is there a failsafe way to delete that file?
Beyond that .db file, maybe there are other files that I do not need that are taking up space. Is there a way to find and delete those un-needed files?
Another problem is creating space on /jffs. Turns out I had Traffic Analyzer enabled. I have now disabled it in the GUI. But there remains a 18MB TrafficAnalyzer.db file that I want to delete that will create space but when I try, I get an error message that it cannot be deleted because there is no room on /jffs. That seems counterintuitive but I guess it makes sense in Linux world. I googled this problem but for all the suggestions I found, none worked. Is there a failsafe way to delete that file?
Beyond that .db file, maybe there are other files that I do not need that are taking up space. Is there a way to find and delete those un-needed files?
Butterfly Bones
Very Senior Member
Here are the commands to purge the Traffic Analyzer file.
https://www.snbforums.com/threads/a...p-static-list-after-reboots.64884/post-597193
These commands did not work.
XIII
Very Senior Member
That’s not the real login name I use...
Update: I rebooted, then tried to do a delete from WinSCP and that worked. Then I reinstalled Scribe. Initially it hung when checking CRU but I cancelled out of it, restarted amtm, sent to reinstall Scribe again, than this time, it seemed to work. I was not sure if UIScribe was also installed or working so I reinstalled it. It all now seems to be working. When I go into System Log in the GUI it appears to be putting the info in the correct screens, so I think I'm good for now.
Butterfly Bones
Very Senior Member
Two posts below is another solution someone found.
XIII
Very Senior Member
Today (2020-07-29) it seems to finally have rotated:
Code:
suricata.log
suricata.log-20200706.gz
suricata.log-20200729suricata.log file now only contains entries from today.(I rebooted my router yesterday evening; would that have made a difference?)
Similar threads
Similar threads
Similar threads
-
Scribe Strange Issue with Scribe / Syslog-NG after Reboot
- Started by ScottW
- Replies: 7
-
Scribe Scribe nvram log_path - what should it be?
- Started by vibroverbus
- Replies: 4
-
Scribe Issues with scribe.... Errors all over the place after restarting scribe!
- Started by SomeWhereOverTheRainBow
- Replies: 8
-
Scribe [SOLVED] syslog-ng intermittent failure to shutdown which messes all logging
- Started by Tarek Yag
- Replies: 15
-
AdGuardHome There are tons of dnsproxy error messages occuring on syslog.
- Started by jklim
- Replies: 2
-
Updated scMerlin to 2.5.5 - syslog stops at 'syslogd exiting'
- Started by thecheapseats
- Replies: 9
Latest threads
-
ROG 98 Pro: Fire Stick 4K Max won’t connect to WiFi 6E???
- Started by Poseidon
- Replies: 0
-
-
Help with RT-ac88u network switch issues - causing reboot
- Started by rkalinka
- Replies: 0
-
TP-Link routers are being taken over by botnet
- Started by TheLostSwede
- Replies: 3
-
RT-AX86U Pro - Merlin: can't get p2p cameras available to wan.
- Started by mightyoakbob
- Replies: 1
Support SNBForums w/ Amazon
If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!