Suricata logging eats all my disk

mangrove · 15 April 2026 22:16

Well, today around lunch I had reports of problems that turned out to be due to the IPFire disk being completely full – with the /var/log/suricata/stats.log Suricata log file being 1.5 gigabytes. Not the first time this has happened.

Is it possible to schedule the Suricata log rotation to occur every night?

ms · 17 April 2026 07:50

This is already the default. We usually rotate around midnight.

mangrove · 17 April 2026 15:47

That’s weird – the gzips only seem to be created once a week at most, although I have been forced to remove some stats.log files before rotation due to a full disk – this doesn’t explain all of the gaps, however.

Where is the log rotation defined?.

bbitsch · 17 April 2026 19:16

Both is right.
logrotate is called every night.
But the period is defined in /etc/logrotate.conf.
Default in IPFire is to hold 1 year with rotation every week ( 52 instances ).

ms · 20 April 2026 10:46

Hello,

I pushed a change to remove the stats log:

mangrove · 20 April 2026 12:00

Great! Changing the rotation for Suricata to Daily (in /etc/logrotate.conf) also solved the issue for now, but I’m guessing it might have other repercussions…

ms · 21 April 2026 08:48

No that should not break anything…