Bug 1330331

Summary: Use SIGHUP for logrotation instead of copytruncate.
Product: [Fedora] Fedora Reporter: Jason Ish <ish>
Component: suricataAssignee: Steve Grubb <sgrubb>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: unspecified    
Version: 25CC: athmanem, fedora, jmlich83, jtfas90, sgrubb
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-11-20 23:03:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
Patch for logrotate.
none
Patch upstream systemd unit file. none

Description Jason Ish 2016-04-25 23:20:32 UTC 
Created attachment 1150645 [details]
Patch for logrotate.

Suricata will close and reopen the logs now on a SIGHUP eliminating the need for copytruncate.

Also, *.json logs should be rotated as well.
Comment 1 Jan Kurik 2016-07-26 05:04:12 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 25 development cycle.
Changing version to '25'.
Comment 2 Steve Grubb 2016-11-07 11:51:25 UTC 
Closing this issue for now. This has been reported upstream and will be pulled in during a future release if upstream so chooses.
Comment 3 Jason Ish 2018-11-19 21:43:04 UTC 
I'm not sure why this was closed. This patch is based on the logrotate example we use in the upstream. Can this be re-opened?
Comment 4 Steve Grubb 2018-11-19 22:24:40 UTC 
Sure. Reopening. After looking this over, probably the right thing to do is drop the current files and just use upstream's.
Comment 5 Jason Ish 2018-11-20 20:51:56 UTC 
Great. I can prep a patch if you like.
Comment 6 Steve Grubb 2018-11-20 23:03:58 UTC 
Patch is not needed. This has been fixed in rawhide.
Comment 7 Jason Ish 2018-11-21 06:22:28 UTC 
This pulled in the systemd unit file from upstream, which is really a template that isn't setup correctly for Fedora - the environment file is commented out in the unit file. I should probably attempt distribution detection in upstream, but for now, we'll have to take care of it here.

Patch attached.

Also, I do not believe ragel needs to be required here. I believe its a build requirement for hyperscan, and the Suricata package will build and run fine without it.

And around line 202 of the spec file there appears to be an artifact left from a merge conflict.
Comment 8 Jason Ish 2018-11-21 06:23:09 UTC 
Created attachment 1507557 [details]
Patch upstream systemd unit file.
Comment 9 Steve Grubb 2018-12-17 19:08:04 UTC 
(In reply to Jason Ish from comment #7)
> This pulled in the systemd unit file from upstream, which is really a
> template that isn't setup correctly for Fedora - the environment file is
> commented out in the unit file. I should probably attempt distribution
> detection in upstream, but for now, we'll have to take care of it here.

suricata-4.1.1 on rawhide should have this fixed. Please give it a try. It also includes some basic systemd defensive security hardening.