[Snort-users] OpenLogFile error

dr Feri Zsuppa'n ferizs at ...798...
Thu Nov 23 11:31:20 EST 2000


On Thu, 23 Nov 2000, Martin Roesch wrote:

> > I have started getting the same
> > 
> > Nov 16 09:35:28 aas3 snort[23769]: ERROR: OpenLogFile() =>
> > fopen(/data/snort/172.131.222.180/ICMP_ECHO) log file: No such file or
> > directory
> > 
> > errors as an earlier posting described here:
> > 
> > http://archives.neohapsis.com/archives/snort/2000-08/0227.html
> > 
> > My disk is not full(30%) and the permission on the snort directory is the
> > same. I run snort-1.6.3-patch2 on Solaris7/SPARC. I hope that the solution
> > is not going back to 1.5....
> 
> It shouldn't be.  Did the directory (/data/snort) exist?  How about the IP
> address directory?  Did you start the process with -u or -g, and if so did
> Snort have perms to write to the directory?
Yes.
> What's your command line config and snort.conf look like?

Fyodor has been helping me on this. Thanks Fyodor! It turned out that the
problem is the large number of subdirectories(links) generated in the log
directory is hitting LINK_MAX(too many links error).

One solution might be to eliminate sudirectories and create files with
IP prefix like 207.45.211.102-ICMP_TTL_EXCEED instead. You could grep
and sort the files this way fine.

--Feri 






More information about the Snort-users mailing list