Re: Suricata's http-log

On 03/29/2012 03:46 PM, Martin Holste wrote:
> One other thing that would be nice and would be easier: can it log
> to the syslog facility?  Then you could have your system's syslog
> handle rotation, etc.
> 
> On Thu, Mar 29, 2012 at 7:54 AM, Peter Bates
> <peter.bates@...> wrote:
> 
> Hello all
> 
> Suricata's inbuilt 'http log' is quite useful for adding context
> to alerts and reducing the need for running additional software.
> 
> As far as I can see, this file just grows and grows until restart.
> 
> Would it be possible to add one of the following:
> 
> 1) Allowing the rotation of the file on SIGHUP 2) Creating a new
> file when the current one is moved away (as per Argus) 3) Adding a
> filesize option to auto-rotate when a limit is reached
> 
> I'm trying to avoid just using logrotate to move the file and then 
> restarting Suricata to pick up the change - if at all possible.

Shouldn't be hard to do. The output API for those line based logs like
http.log, fast.log, etc already supports unix socket, and I think
adding syslog shouldn't be very hard. Might be a nice project for
someone that wants to get familiar with our code base and dev procedures.

--

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------