What's new

scribe - syslog-ng and logrotate installer

elorimer

Very Senior Member
I removed Suricata and still have the suricata.log entry on the scribe syslog page. How do I get rid of it? It's the only lingering part left of manual uninstall.
Or, I think better, delete the configuration file from /opt/etc/syslog-ng.d (which I'm guessing you did), and then open uiScribe and use rf to rescan the /opt/etc/syslog-ng.d directory.
 

Kingp1n

Very Senior Member
I removed Suricata and still have the suricata.log entry on the scribe syslog page. How do I get rid of it? It's the only lingering part left of manual uninstall.
@skeal any specific reason you removed suricata? I'm thinking of installing but I'm just gathering info on pros/cons! Thanks!
 

skeal

Part of the Furniture
Or, I think better, delete the configuration file from /opt/etc/syslog-ng.d (which I'm guessing you did), and then open uiScribe and use rf to rescan the /opt/etc/syslog-ng.d directory.
That worked. Thanks.
 

skeal

Part of the Furniture
@skeal any specific reason you removed suricata? I'm thinking of installing but I'm just gathering info on pros/cons! Thanks!
I was only trying Suricata out because I was trying out Cake QOS. Turns out doesn't matter to me whether Trend Micro is running or Suricata. So I went with what I know.
 

elorimer

Very Senior Member
how you enabled suricata log on gui ?
Do the opposite of removing it. Put the suricata log config file in /opt/etc/syslog-ng.d/, and then run uiScribe, option rf to rescan that directory.
 

XIII

Very Senior Member
Logging in /opt/var/log/suricata.log goes back to July 6 (so about 20 days now), while I use this in scribe:


Code:
# Created by SNBForums user @ttgapers
# log all suricata logs to suricata.log

destination d_suricata {
    file("/opt/var/log/suricata.log");
};

filter f_suricata {
    program("S82suricata") or
    program("suricata");
};

log {
    source(src);
    filter(f_suricata);
    destination(d_suricata);
    flags(final);
};

#eof

Code:
/opt/var/log/suricata.log {
    minsize 1024k
    daily
    rotate 9
    postrotate
        /usr/bin/killall -HUP syslog-ng
    endscript
}

I was expecting to see the logging of at most 1 day. Is my expectation or my configuration wrong? How to fix this?
 

Jack Yaz

Part of the Furniture
Logging in /opt/var/log/suricata.log goes back to July 6 (so about 20 days now), while I use this in scribe:


Code:
# Created by SNBForums user @ttgapers
# log all suricata logs to suricata.log

destination d_suricata {
    file("/opt/var/log/suricata.log");
};

filter f_suricata {
    program("S82suricata") or
    program("suricata");
};

log {
    source(src);
    filter(f_suricata);
    destination(d_suricata);
    flags(final);
};

#eof

Code:
/opt/var/log/suricata.log {
    minsize 1024k
    daily
    rotate 9
    postrotate
        /usr/bin/killall -HUP syslog-ng
    endscript
}

I was expecting to see the logging of at most 1 day. Is my expectation or my configuration wrong? How to fix this?
How big is the logfile? Minsize means it won't rotate until its at least 1mb big when logrotate runs
 

L&LD

Part of the Furniture
Isn't that 4KB?
 

elorimer

Very Senior Member
I was expecting to see the logging of at most 1 day. Is my expectation or my configuration wrong? How to fix this?
Run this:
Code:
/opt/sbin/logrotate /opt/etc/logrotate.conf -d
That will run logrotate in debug mode, which just prints messages about what logrotate would do, if it ran for real. It will tell you if the log is or is not rotating and why.

Also, you can look at /var/lib/logrotate.status to see when that log was last rotated. (Not sure why it is way over in that location, but there it will be.)
 

XIII

Very Senior Member
/opt/sbin/logrotate /opt/etc/logrotate.conf -d
Code:
rotating pattern: /opt/var/log/suricata.log  after 1 days (9 rotations)
empty log files are not rotated, only log files >= 1048576 bytes are rotated, log files >= 4194304 are rotated earlier, old logs are removed
considering log /opt/var/log/suricata.log
  Now: 2020-07-27 09:47
  Last rotated at 2020-07-26 15:00
  log needs rotating
rotating log /opt/var/log/suricata.log, log->rotateCount is 9
dateext suffix '-20200727'
glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'
compressing log with: /bin/gzip
glob finding old rotated logs failed
renaming /opt/var/log/suricata.log to /opt/var/log/suricata.log-20200727
creating new /opt/var/log/suricata.log mode = 0600 uid = 0 gid = 0
running postrotate script
running script with args /opt/var/log/suricata.log  (null): "
        /usr/bin/killall -HUP syslog-ng
"
Log is still 4162817 bytes afterwards...
 

Jack Yaz

Part of the Furniture
Code:
rotating pattern: /opt/var/log/suricata.log  after 1 days (9 rotations)
empty log files are not rotated, only log files >= 1048576 bytes are rotated, log files >= 4194304 are rotated earlier, old logs are removed
considering log /opt/var/log/suricata.log
  Now: 2020-07-27 09:47
  Last rotated at 2020-07-26 15:00
  log needs rotating
rotating log /opt/var/log/suricata.log, log->rotateCount is 9
dateext suffix '-20200727'
glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'
compressing log with: /bin/gzip
glob finding old rotated logs failed
renaming /opt/var/log/suricata.log to /opt/var/log/suricata.log-20200727
creating new /opt/var/log/suricata.log mode = 0600 uid = 0 gid = 0
running postrotate script
running script with args /opt/var/log/suricata.log  (null): "
        /usr/bin/killall -HUP syslog-ng
"
Log is still 4162817 bytes afterwards...
What permissions does suricata.log have?
 

elorimer

Very Senior Member
Log is still 4162817 bytes afterwards...
That's because debug doesn't actually do anything. Still, the output looks to me like when it runs overnight, it will be (that is, should be) rotating the log. And the permissions are the same as mine (except, bad boy to be using admin as your login name).

Well, run logrotate with "--force". That will force rotation, and maybe give you some useful message.
 

TonyK132

Senior Member
I'm having several system problems that I found when I reinstalled Scribe. One problem is that portions of Scribe did not install because I have no room left on /jffs. Scribe seemed to install properly even with those error messages. This this the correct behavior for Scribe?

Another problem is creating space on /jffs. Turns out I had Traffic Analyzer enabled. I have now disabled it in the GUI. But there remains a 18MB TrafficAnalyzer.db file that I want to delete that will create space but when I try, I get an error message that it cannot be deleted because there is no room on /jffs. That seems counterintuitive but I guess it makes sense in Linux world. I googled this problem but for all the suggestions I found, none worked. Is there a failsafe way to delete that file?

Beyond that .db file, maybe there are other files that I do not need that are taking up space. Is there a way to find and delete those un-needed files?
 

Butterfly Bones

Very Senior Member
I'm having several system problems that I found when I reinstalled Scribe. One problem is that portions of Scribe did not install because I have no room left on /jffs. Scribe seemed to install properly even with those error messages. This this the correct behavior for Scribe?

Another problem is creating space on /jffs. Turns out I had Traffic Analyzer enabled. I have now disabled it in the GUI. But there remains a 18MB TrafficAnalyzer.db file that I want to delete that will create space but when I try, I get an error message that it cannot be deleted because there is no room on /jffs. That seems counterintuitive but I guess it makes sense in Linux world. I googled this problem but for all the suggestions I found, none worked. Is there a failsafe way to delete that file?

Beyond that .db file, maybe there are other files that I do not need that are taking up space. Is there a way to find and delete those un-needed files?
Here are the commands to purge the Traffic Analyzer file.
https://www.snbforums.com/threads/a...p-static-list-after-reboots.64884/post-597193
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top