[Snort-users] Updated snort log rotate

Jim jameso at ...555...
Thu Oct 12 11:34:30 EDT 2000


Well, that last version of snort_log_rotate that I wrote apperently
did not work on some non BSD based systems because of some stuff I did
with the date command. Here is a changed copy that should work on non
BSD based systems. As I don't have access to any Linux systems, I
can't really test this on them, but I did test this on Solaris and it
seemed to work fine there.

Let me know if anyone has any problems.

-- 
Jim O'Gorman           | I gave up Smoking, Drinking and Sex.
UNIX Admin             | It was the most                     
----                   | *__________horrifying* 20 
jameso at ...555...      | minutes of my life!                 
jameso at ...556...       |                                     
-------------- next part --------------
#!/bin/sh
# 
# Logfile roation script for snort writen by jameso at ...557...
# 
# This script is pretty basic. We start out by setting some vars.
# Its job is tho rotate the days logfiles, e-mail you with what 
# it logged, keep one weeks worth of uncompressed logs, and also
# keep compressed tgz files of all the logs. It is made to be run
# at midnight everynight. This script expects you to have a base
# dir that you keep all of your logs, rule sets etc in. You can 
# see what sub dirs it expects from looking at the var settings
# below.
# 
# Things to note in this script is that we run this script at 12 
# every night, so we want to set the dirdate var the day the script
# runs minus a day so we label the files with the correct day. We
# Then create a dir for the days logs, move the log files into 
# todays dir. As soon as that is done restart snort so we don't miss
# anything. Then delete any logs that are uncompressed and over a
# week old. Then compress out todays logs and archive them away, and
# end up by mailling out the logs to you.
#

# Define where you have the base of your snort install

snortbase=/usr/snort

# Define other vars
# logdir   - Where the logs are kept
# oldlogs  - Where you want the archived .tgz logs kept
# weeklogs - This is where you want to keep a weeks worth of log files uncompressed
# dirdate  - Todays Date in Month - Day - Year format
# olddirdate - Todays date in the same format as dirdate, minus a week

logdir=$snortbase/log
oldlogs=$snortbase/oldlogs
weeklogs=$snortbase/weeklogs

# When I first wrote this script, I only ran it on BSD systems. That was a
# mistake, as BSD systems have a date command that apperently lets you walk the
# date back pretty easily. Well, some systems don't have this feature, so I had
# to change the way that dates are done in here. I left in the old way, because
# it is cleaner, and I added in a new way that should be portable. If anyone
# has any problems, just let me know and I will try to fix it.
#
# You have to change the system var to either bsd or other. Set it to bsd if
# your system supports the "-v" flag. If you are not sure, set it to other.

system=bsd

if [ $system = bsd ]
then
	dirdate=`date -v -1d "+%m-%d-%y"`
	olddirdate=`date -v -8d "+%m-%d-%y"`
elif [ $system = other ]
	month=`date "+%m"`
	yesterday=`expr \`date "+%d"\` - 1`
	eightday=`expr \`date "+%d"\` - 8`
	year=`date "+%y"`

	dirdate=$month-$yesterday-$year
	olddirdate=$month-$eightday-$year
fi

# Create the Dir for todays logs.

if [ ! -d $weeklogs/$dirdate ]
then
	mkdir $weeklogs/$dirdate
fi

# Move the log files into todays log dir. This is done with
# a for loop right now, because I am afriad that if alot is
# logged there may be to many items to move with a "mv *"
# type command. There may a better way to do this, but I don't
# know it yet.

for logitem in `ls $logdir` ; do
	mv $logdir/$logitem $weeklogs/$dirdate
done

# Kill and restart snort now that the log files are moved.

kill `cat /var/run/snort_fxp0.pid`

# Restart snort in the correct way for you

/usr/local/bin/snort -i fxp0 -d -D -h homeiprange/28 -l /usr/snort/log \
 -c /usr/snort/etc/08292k.rules > /dev/null 2>&1

# Delete any uncompressed log files that over a week old.

if [ -d $weeklogs/$olddirdate ]
then
	rm -r $weeklogs/$olddirdate
fi

# Compress and save the log files to save for as long as you want.
# This is done in a sub-shell because we change dirs, and I don't want 
# to do that within the shell that the script runs in.

(cd $weeklogs; tar zcvf $oldlogs/$dirdate.tgz $dirdate > /dev/null 2>&1)

# Mail out the log files for today.

cat $weeklogs/$dirdate/snort.alert | mail -s "Snort logs" you at ...558...
cat $weeklogs/$dirdate/snort_portscan.log | mail -s "Snort portscan logs" you at ...558...




More information about the Snort-users mailing list