[Snort-devel] alerts file newsyslog rotation with non-root user
list at ...2932...
Sat Dec 22 07:47:17 EST 2007
I am running snort 126.96.36.199 on OpenBSD 4.2. I have the following line in
/var/snort/log/alert 600 99 10000 * Z "/bin/kill -HUP \
Since snort is running with user:group _snort:_snort, log rotation would
not work with alerts file. So I applied the following diff of mine:
--- src/snort.c.orig Fri Dec 21 00:32:45 2007
+++ src/snort.c Fri Dec 21 00:38:13 2007
@@ -3954,6 +3954,8 @@ static void SigHupHandler(int signal)
void SigCantHupHandler(int signal)
LogMessage("Reload via Signal HUP does not work if you aren't root
or are chroot'ed\n");
+ LogMessage("Reopening alerts file after newsyslog rotation");
Thanks to this diff, now I am able to rotate alerts file successfully.
Everything seems fine in my case, because I use full alerts.
But I am not sure if this is the best and general solution to this
issue, or if there are hidden problems this diff introduces (I haven't
seen any yet during its operation).
I would appreciate if snort developers could comment on this diff, and,
if possible, apply this diff or a better solution to the next releases.
More information about the Snort-devel