[Snort-devel] Snort init script `stats` function
gallagher.peter at gmail.com
Wed Aug 23 07:31:39 EDT 2017
The current `stats` function in the init.d script has been very unreliable
for me, due to variations in the `startdate` variable recorded in the
script and the timestamp when the log lines are actually written by snort.
Accordingly I have modified my init script to use the following:
tac /var/log/messages | grep -m1 '*** Caught Dump Stats-Signal' -B147 |
tac | grep snort.*: | cut -d: -f4-
This example of the basic `stats` function does the following:
1. Uses `tac` to reverse the order of `$SYSLOG`
2. Greps for the first occurrence of the snort stats start signature and
includes an additional 147 lines of output
3. Reverses the order (again using `tac`) to return it to normal order
4. Filters out any non-snort lines
I think this is a more reliable approach. The only risk is if the stats
aren't dumped correctly it could return an earlier collection of
statistics, however I feel this is highly unlikely.
I looked for a public repository to provide a diff or pull request but
could not find any.
Please let me know if you think this is suitable for inclusion for future
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-devel