-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Log rotation (SIGHUP) support #704
Comments
Interesting topic. For archives.log and alerts.log OSSEC uses symbolic links, an ossec-monitord takes care of rotating those, so we don't need to restart ossec processes or use "copytruncate". How about using ossec-monitord to rotate ossec.log and active-response.log as well? Wouldn't that make more sense than using logrotate? (specially considering that OSSEC is designed to run in a chroot environment, not to interact much with the host) |
On Thu, 3 Dec 2015, Santiago Bassett wrote:
Interesting topic. For archives.log and alerts.log OSSEC uses symbolic
links, an ossec-monitord takes care of rotating those, so we don't need
to restart ossec processes or use "copytruncate". How about using
ossec-monitord to rotate ossec.log and active-response.log as well?
Wouldn't that make more sense than using logrotate? (specially
considering that OSSEC is designed to run in a chroot environment, not
to interact much with the host)
That would also bypass the issue of updating selinux policies for
logrotate to operate on /var/ossec/logs
Antonio Querubin
e-mail: tony@lavanauts.org
xmpp: antonioquerubin@gmail.com
|
Yes, single mechanism for rotating all logs would be nice. Current documentation recommends logrotate for ossec.log: http://ossec.github.io/docs/faq/ossec.html#how-can-i-get-ossec-log-to-rotate-daily Btw, how can I change settings for log rotation by ossec-monitord? I've found only options that change compressing/signing: http://ossec.github.io/docs/syntax/head_internal_options.analysisd.html#internal-options-conf-monitord |
If those are not in internal_options.conf I would assume those options are hardcoded. If everyone agrees rotation for ossec.log and active-response.log should be implemented to be done by ossec-monitord, I'll add it to my todo and try to do this once I have some spare time. |
To rotate ossec logs I have to use logrotate "copytruncate" option. That is unconvenient hack that can lead to loosing some amount of data. It would be nice to make
ossec-monitord
handle SIGHUP (or SIGUSR1) signal and re-open log files.The text was updated successfully, but these errors were encountered: