Created attachment 1150645 [details] Patch for logrotate. Suricata will close and reopen the logs now on a SIGHUP eliminating the need for copytruncate. Also, *.json logs should be rotated as well.
This bug appears to have been reported against 'rawhide' during the Fedora 25 development cycle. Changing version to '25'.
Closing this issue for now. This has been reported upstream and will be pulled in during a future release if upstream so chooses.
I'm not sure why this was closed. This patch is based on the logrotate example we use in the upstream. Can this be re-opened?
Sure. Reopening. After looking this over, probably the right thing to do is drop the current files and just use upstream's.
Great. I can prep a patch if you like.
Patch is not needed. This has been fixed in rawhide.
This pulled in the systemd unit file from upstream, which is really a template that isn't setup correctly for Fedora - the environment file is commented out in the unit file. I should probably attempt distribution detection in upstream, but for now, we'll have to take care of it here. Patch attached. Also, I do not believe ragel needs to be required here. I believe its a build requirement for hyperscan, and the Suricata package will build and run fine without it. And around line 202 of the spec file there appears to be an artifact left from a merge conflict.
Created attachment 1507557 [details] Patch upstream systemd unit file.
(In reply to Jason Ish from comment #7) > This pulled in the systemd unit file from upstream, which is really a > template that isn't setup correctly for Fedora - the environment file is > commented out in the unit file. I should probably attempt distribution > detection in upstream, but for now, we'll have to take care of it here. suricata-4.1.1 on rawhide should have this fixed. Please give it a try. It also includes some basic systemd defensive security hardening.