What's new

Scribe scribe - syslog-ng and logrotate installer

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I removed Suricata and still have the suricata.log entry on the scribe syslog page. How do I get rid of it? It's the only lingering part left of manual uninstall.
Or, I think better, delete the configuration file from /opt/etc/syslog-ng.d (which I'm guessing you did), and then open uiScribe and use rf to rescan the /opt/etc/syslog-ng.d directory.
 
I removed Suricata and still have the suricata.log entry on the scribe syslog page. How do I get rid of it? It's the only lingering part left of manual uninstall.
@skeal any specific reason you removed suricata? I'm thinking of installing but I'm just gathering info on pros/cons! Thanks!
 
Or, I think better, delete the configuration file from /opt/etc/syslog-ng.d (which I'm guessing you did), and then open uiScribe and use rf to rescan the /opt/etc/syslog-ng.d directory.
That worked. Thanks.
 
@skeal any specific reason you removed suricata? I'm thinking of installing but I'm just gathering info on pros/cons! Thanks!
I was only trying Suricata out because I was trying out Cake QOS. Turns out doesn't matter to me whether Trend Micro is running or Suricata. So I went with what I know.
 
I was only trying Suricata out because I was trying out Cake QOS. Turns out doesn't matter to me whether Trend Micro is running or Suricata. So I went with what I know.
how you enabled suricata log on gui ?
 
how you enabled suricata log on gui ?
Do the opposite of removing it. Put the suricata log config file in /opt/etc/syslog-ng.d/, and then run uiScribe, option rf to rescan that directory.
 
Logging in /opt/var/log/suricata.log goes back to July 6 (so about 20 days now), while I use this in scribe:


Code:
# Created by SNBForums user @ttgapers
# log all suricata logs to suricata.log

destination d_suricata {
    file("/opt/var/log/suricata.log");
};

filter f_suricata {
    program("S82suricata") or
    program("suricata");
};

log {
    source(src);
    filter(f_suricata);
    destination(d_suricata);
    flags(final);
};

#eof

Code:
/opt/var/log/suricata.log {
    minsize 1024k
    daily
    rotate 9
    postrotate
        /usr/bin/killall -HUP syslog-ng
    endscript
}

I was expecting to see the logging of at most 1 day. Is my expectation or my configuration wrong? How to fix this?
 
Logging in /opt/var/log/suricata.log goes back to July 6 (so about 20 days now), while I use this in scribe:


Code:
# Created by SNBForums user @ttgapers
# log all suricata logs to suricata.log

destination d_suricata {
    file("/opt/var/log/suricata.log");
};

filter f_suricata {
    program("S82suricata") or
    program("suricata");
};

log {
    source(src);
    filter(f_suricata);
    destination(d_suricata);
    flags(final);
};

#eof

Code:
/opt/var/log/suricata.log {
    minsize 1024k
    daily
    rotate 9
    postrotate
        /usr/bin/killall -HUP syslog-ng
    endscript
}

I was expecting to see the logging of at most 1 day. Is my expectation or my configuration wrong? How to fix this?
How big is the logfile? Minsize means it won't rotate until its at least 1mb big when logrotate runs
 
Isn't that 4KB?
 
I was expecting to see the logging of at most 1 day. Is my expectation or my configuration wrong? How to fix this?
Run this:
Code:
/opt/sbin/logrotate /opt/etc/logrotate.conf -d
That will run logrotate in debug mode, which just prints messages about what logrotate would do, if it ran for real. It will tell you if the log is or is not rotating and why.

Also, you can look at /var/lib/logrotate.status to see when that log was last rotated. (Not sure why it is way over in that location, but there it will be.)
 
/opt/sbin/logrotate /opt/etc/logrotate.conf -d
Code:
rotating pattern: /opt/var/log/suricata.log  after 1 days (9 rotations)
empty log files are not rotated, only log files >= 1048576 bytes are rotated, log files >= 4194304 are rotated earlier, old logs are removed
considering log /opt/var/log/suricata.log
  Now: 2020-07-27 09:47
  Last rotated at 2020-07-26 15:00
  log needs rotating
rotating log /opt/var/log/suricata.log, log->rotateCount is 9
dateext suffix '-20200727'
glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'
compressing log with: /bin/gzip
glob finding old rotated logs failed
renaming /opt/var/log/suricata.log to /opt/var/log/suricata.log-20200727
creating new /opt/var/log/suricata.log mode = 0600 uid = 0 gid = 0
running postrotate script
running script with args /opt/var/log/suricata.log  (null): "
        /usr/bin/killall -HUP syslog-ng
"

Log is still 4162817 bytes afterwards...
 
Code:
rotating pattern: /opt/var/log/suricata.log  after 1 days (9 rotations)
empty log files are not rotated, only log files >= 1048576 bytes are rotated, log files >= 4194304 are rotated earlier, old logs are removed
considering log /opt/var/log/suricata.log
  Now: 2020-07-27 09:47
  Last rotated at 2020-07-26 15:00
  log needs rotating
rotating log /opt/var/log/suricata.log, log->rotateCount is 9
dateext suffix '-20200727'
glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'
compressing log with: /bin/gzip
glob finding old rotated logs failed
renaming /opt/var/log/suricata.log to /opt/var/log/suricata.log-20200727
creating new /opt/var/log/suricata.log mode = 0600 uid = 0 gid = 0
running postrotate script
running script with args /opt/var/log/suricata.log  (null): "
        /usr/bin/killall -HUP syslog-ng
"

Log is still 4162817 bytes afterwards...
What permissions does suricata.log have?
 
Log is still 4162817 bytes afterwards...
That's because debug doesn't actually do anything. Still, the output looks to me like when it runs overnight, it will be (that is, should be) rotating the log. And the permissions are the same as mine (except, bad boy to be using admin as your login name).

Well, run logrotate with "--force". That will force rotation, and maybe give you some useful message.
 
I'm having several system problems that I found when I reinstalled Scribe. One problem is that portions of Scribe did not install because I have no room left on /jffs. Scribe seemed to install properly even with those error messages. This this the correct behavior for Scribe?

Another problem is creating space on /jffs. Turns out I had Traffic Analyzer enabled. I have now disabled it in the GUI. But there remains a 18MB TrafficAnalyzer.db file that I want to delete that will create space but when I try, I get an error message that it cannot be deleted because there is no room on /jffs. That seems counterintuitive but I guess it makes sense in Linux world. I googled this problem but for all the suggestions I found, none worked. Is there a failsafe way to delete that file?

Beyond that .db file, maybe there are other files that I do not need that are taking up space. Is there a way to find and delete those un-needed files?
 
I'm having several system problems that I found when I reinstalled Scribe. One problem is that portions of Scribe did not install because I have no room left on /jffs. Scribe seemed to install properly even with those error messages. This this the correct behavior for Scribe?

Another problem is creating space on /jffs. Turns out I had Traffic Analyzer enabled. I have now disabled it in the GUI. But there remains a 18MB TrafficAnalyzer.db file that I want to delete that will create space but when I try, I get an error message that it cannot be deleted because there is no room on /jffs. That seems counterintuitive but I guess it makes sense in Linux world. I googled this problem but for all the suggestions I found, none worked. Is there a failsafe way to delete that file?

Beyond that .db file, maybe there are other files that I do not need that are taking up space. Is there a way to find and delete those un-needed files?
Here are the commands to purge the Traffic Analyzer file.
https://www.snbforums.com/threads/a...p-static-list-after-reboots.64884/post-597193
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top