I am running PfSense 2.5.2-RELEASE with Suricata package 6.0.0_11
I have noticed that my suricata logs are not correctly rotating and slowly filling the disk.
Any ideas on how to fix this would be appreciated
Jul 11 11:15 I delete all of the logs.
This is the state of the folder prior to restarting suricata.
alerts.log.2021_0712_0635 is still being appended to by suricata.
It is as if the file has by moved and suricata is still writing to it.
[2.5.2-RELEASE][root@firewall]/var/log/suricata/suricata_igb063733: ls -lah
total 10096264
drwxr-xr-x 2 root wheel 512B Jul 18 19:00 .
drwx------ 3 root wheel 512B Jul 11 11:15 ..
-rw-r--r-- 1 root wheel 0B Jul 21 20:45 alerts.log
-rw-r--r-- 1 root wheel 9.6G Jul 21 20:48 alerts.log.2021_0712_0635
-rw-r--r-- 1 root wheel 0B Jul 21 20:45 http.log
-rw-r--r-- 1 root wheel 32M Jul 21 20:48 http.log.2021_0712_0330
-rw-r--r-- 1 root wheel 30K Jul 21 20:49 suricata.log
Jul 21 20:48 I restart suricata
The archived log file is nolonger being written to & the alerts.log file is now being filled
[2.5.2-RELEASE][root@firewall]/var/log/suricata/suricata_igb063733: ls -lah
total 10096276
drwxr-xr-x 2 root wheel 512B Jul 18 19:00 .
drwx------ 3 root wheel 512B Jul 11 11:15 ..
-rw-r--r-- 1 root wheel 614B Jul 21 21:15 alerts.log
-rw-r--r-- 1 root wheel 9.6G Jul 21 20:48 alerts.log.2021_0712_0635
-rw-r--r-- 1 root wheel 4.1K Jul 21 21:17 http.log
-rw-r--r-- 1 root wheel 32M Jul 21 20:48 http.log.2021_0712_0330
-rw-r--r-- 1 root wheel 30K Jul 21 20:50 suricata.log
[2.5.2-RELEASE][root@firewall]/var/log/suricata/suricata_igb063733: stat *
125 6580999 -rw-r--r-- 1 root wheel 13154629 614 "Jul 12 06:35:01 2021" "Jul 21 21:15:54 2021" "Jul 21 21:15:54 2021" "Jul 12 06:35:01 2021" 32768 8 0 alerts.log
125 6580995 -rw-r--r-- 1 root wheel 13154512 10302656397 "Jul 11 11:15:09 2021" "Jul 21 20:48:18 2021" "Jul 21 20:48:18 2021" "Jul 11 11:15:09 2021" 32768 20127424 0 alerts.log.2021_0712_0635
125 6580998 -rw-r--r-- 1 root wheel 13154592 4162 "Jul 12 03:30:00 2021" "Jul 21 21:17:00 2021" "Jul 21 21:17:00 2021" "Jul 12 03:30:00 2021" 32768 16 0 http.log
125 6580997 -rw-r--r-- 1 root wheel 13154824 33253244 "Jul 11 19:00:00 2021" "Jul 21 20:48:58 2021" "Jul 21 20:48:58 2021" "Jul 11 19:00:00 2021" 32768 65024 0 http.log.2021_0712_0330
125 6580994 -rw-r--r-- 1 root wheel 13154424 31049 "Jul 11 11:15:09 2021" "Jul 21 20:50:14 2021" "Jul 21 20:50:14 2021" "Jul 11 11:15:09 2021" 32768 64 0 suricata.log
The log folder size is much larger than the max size specified in config.
[2.5.2-RELEASE][root@firewall]/var/log: du -hs ./suricata/
9.6G ./suricata/
The log management config is mostly set to default values:
The directory size limit has been set to 4096MB