Feature #2107
openeve: rotate log output based on size
Description
Similar to rotating based on time - http://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html#rotate-log-file
but rotate based on size.
Updated by Victor Julien over 7 years ago
- Subject changed from Rotate eve json output based on size to eve: rotate log output based on size
Might be possible to implement this such that it applies to all text based loggers.
Updated by Jason Ish over 7 years ago
What should happen when a file is rotated by size? Say the filename is just "eve.json", would just be reset to 0 size and carry on? Or renamed and re-opened? If renamed, what sort of naming scheme?
With a date based name that has the resolution to handle this, its OK, even a good addition. But if using a date based name that has a resolution of a day, but the size is going to roll it over multiple times a day, do you just truncate? Or use a scheme for renaming?
Just some thoughts, but more things that should be deterministic and documented.
Updated by Victor Julien over 7 years ago
Maybe just mimic what unified2 does, so a seconds since epoch suffix, with an option for even higher resolution. I guess it would require the reader to take this into account as well, e.g. not missing events that are just before the rotation.
Updated by Victor Julien about 5 years ago
- Has duplicate Support #3114: Forcing size limitation on eve.json file added
Updated by Victor Julien over 1 year ago
- Assignee changed from Mats Klepsland to Community Ticket