Snort mailing list archives

RE: Log Rotation

From: "Keaton, Lindamaria" <LKeaton () unionsafe com>
Date: Fri, 5 Dec 2003 10:33:20 -0800

I get the following error message. Any ideas? By the way I am running
this on Linux.

# /etc/init.d/snort restart
/etc/init.d/snort: line 1: /var/log/snort//2003-12-05: No such file or
directory
/etc/init.d/snort: line 1: /var/log/snort//2003-12-05: No such file or
directory
Stoping Intrusion Database System: SNORT
.
/etc/init.d/snort: line 1: /var/log/snort//2003-12-05: No such file or
directory
Starting Intrusion Database System: SNORT
SNORT is up and running!

-----Original Message-----
From: JP Vossen [mailto:vossenjp () netaxs com] 
Sent: Thursday, December 04, 2003 8:43 PM
To: snort-users () lists sourceforge net
Cc: Keaton, Lindamaria
Subject: Re: [Snort-users] Log Rotation

Date: Thu, 4 Dec 2003 12:46:05 -0800
From: "Keaton, Lindamaria" <LKeaton () unionsafe com>
To: <snort-users () lists sourceforge net>
Subject: [Snort-users] Log Rotation

Hello everyone. I'm trying to configure snort to rotate logs into a
specific directory either every night and then have snort restart it's
service. Right now I have a configuration setup that is sort of

working

but it's not every night or when it reaches a certain limit.


<snip>

Plus this configuration does not restart the service.  I have to

reboot

the server every morning to get snort running again.


WHAT?!?  Are you INSANE?  Please tell me you meant restart the service
and not
reboot the server!!!  What is this, Windows?  (I'm assuming you are not
trying
to get logrotate to work on Windows.) <big grin>


OK, seriously, I went a rather different route (on Linux, Red Hat 8,
just to
be clear).  My /etc/init.d/snortd has something like the following:

        # Log everything in a dated directory
        TheDate=`/bin/date '+%Y-%m-%d'`
        if [ ! -d /var/log/snort/${SNORTNAME}/${TheDate} ]; then
                /bin/mkdir -p /var/log/snort/${SNORTNAME}/${TheDate}
        fi

        # Actually start snort, with our options
        daemon /usr/sbin/${SNORTNAME} -D -i $INTERFACE \
                -c /etc/${SNORTNAME}/snort.conf \
                -l /var/log/snort/${SNORTNAME}/${TheDate} -b ${BPFFILE}

Then my crontab has something like:
        # Restart Snort to use new Log Dir
        01 00 * * * /etc/rc.d/init.d/snortd restart

So every night at 1 minute after midnight cron restarts Snort.  This a)
activates any config or rules changes I may have made (though if I screw
them
up and Snort fails to actually start that's a Bad Thing), and b) starts
logging to a dated directory.  That has been working very well for me,
though
I have a small environment.

YMMV,
JP
------------------------------|:::======|-------------------------------
-
JP Vossen, CISSP              |:::======|
jp{at}jpsdomain{dot}org
My Account, My Opinions       |=========|
http://www.jpsdomain.org/
------------------------------|=========|-------------------------------
-
You used to have to reboot the Windows 9.x series every couple of days
because it would crash.  Now you have to reboot Windows 200x or XP every
couple of days because of a patch.  How is that better or more stable?



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for
IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys
admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Log Rotation Keaton, Lindamaria (Dec 04)
- <Possible follow-ups>
- Re: Log Rotation JP Vossen (Dec 04)
- Re: Log Rotation Stephane Nasdrovisky (Dec 05)
- RE: Log Rotation Keaton, Lindamaria (Dec 05)
  - RE: Log Rotation JP Vossen (Dec 05)