Snort mailing list archives

Re: Log Rotation

From: brandon () roguetrader com
Date: Wed, 3 Oct 2001 08:23:08 -0600

On Tue, Oct 02, 2001 at 01:24:18PM -0700, Erek Adams wrote:

On Tue, 2 Oct 2001, DeBerry, Casey wrote:

Running snort 1.8 on solaris 7. In the past, using linux, have had success
with log-rotate script.. but it used the gcc date function to call previous
days date.. ie:
PAST=`date --date='1 day ago' +%b%d_%Y
This ran as a cron job at 12:01 am and worked great. Solaris however, does
not use gcc date.. I guess I could run my own bits, but thought there was
something out there that might be a little bit more elegant.


I took the other approach, rather than moving yesterday's snort log
directory to yesterday's date, I just kick snort once a day and have
it lock out to a directory with the current day's date.  I have two
scripts to do this:

----------------------------------------/snort/bin/rotate (called from cron)
#!/bin/sh
# kill the old snort, launch a new one
tok="/usr/local/bin/snort -c /snort/rules/snort.conf"
pid=`ps auxw | fgrep "$tok" | awk -F' ' '{print $2}'`
for p in $pid ; do
    if [ "$p" -gt 1 ]; then
        kill $p
    fi
done

/snort/bin/launch &
----------------------------------------/snort/bin/launch
#!/bin/sh
# log to todays date

date=`date +%Y-%m-%d`
snortconf="/snort/rules/snort.conf"
snortdir=/snort/logs/$date
dev=fxp1

if [ ! -d /snort/logs/$date ]; then
    mkdir /snort/logs/$date
    touch /snort/logs/$date/alert
    /snort/bin/rotate-pigsentry
fi

#                           -b \
# -o puts pass rules first
(/usr/local/bin/snort -c $snortconf \
                           -i $dev \
                           -A full \
                           -o \
                           -X \
                           -z est \
                           -k none \
                           -l $snortdir 2>&1) >> $snortdir/snort.log &
----------------------------------------

-Brandon Gillespie

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Log Rotation DeBerry, Casey (Oct 02)
- Re: Log Rotation Erek Adams (Oct 02)
  - Re: Log Rotation brandon (Oct 03)