[Snort-users] Updated snort log rotate
jameso at ...555...
Thu Oct 12 12:01:18 EDT 2000
Sorry, I sent the wrong file to the list. Heh, the one I sent was
missing a "then" after a elif. Here is the correct one.
On Thu, Oct 12, 2000 at 10:34:30AM -0500, Jim wrote:
> Well, that last version of snort_log_rotate that I wrote apperently
> did not work on some non BSD based systems because of some stuff I did
> with the date command. Here is a changed copy that should work on non
> BSD based systems. As I don't have access to any Linux systems, I
> can't really test this on them, but I did test this on Solaris and it
> seemed to work fine there.
> Let me know if anyone has any problems.
> Jim O'Gorman | I gave up Smoking, Drinking and Sex.
> UNIX Admin | It was the most
> ---- | *__________horrifying* 20
> jameso at ...555... | minutes of my life!
> jameso at ...556... |
-------------- next part --------------
# Logfile roation script for snort writen by jameso at ...557...
# This script is pretty basic. We start out by setting some vars.
# Its job is tho rotate the days logfiles, e-mail you with what
# it logged, keep one weeks worth of uncompressed logs, and also
# keep compressed tgz files of all the logs. It is made to be run
# at midnight everynight. This script expects you to have a base
# dir that you keep all of your logs, rule sets etc in. You can
# see what sub dirs it expects from looking at the var settings
# Things to note in this script is that we run this script at 12
# every night, so we want to set the dirdate var the day the script
# runs minus a day so we label the files with the correct day. We
# Then create a dir for the days logs, move the log files into
# todays dir. As soon as that is done restart snort so we don't miss
# anything. Then delete any logs that are uncompressed and over a
# week old. Then compress out todays logs and archive them away, and
# end up by mailling out the logs to you.
# Define where you have the base of your snort install
# Define other vars
# logdir - Where the logs are kept
# oldlogs - Where you want the archived .tgz logs kept
# weeklogs - This is where you want to keep a weeks worth of log files uncompressed
# dirdate - Todays Date in Month - Day - Year format
# olddirdate - Todays date in the same format as dirdate, minus a week
# When I first wrote this script, I only ran it on BSD systems. That was a
# mistake, as BSD systems have a date command that apperently lets you walk the
# date back pretty easily. Well, some systems don't have this feature, so I had
# to change the way that dates are done in here. I left in the old way, because
# it is cleaner, and I added in a new way that should be portable. If anyone
# has any problems, just let me know and I will try to fix it.
# You have to change the system var to either bsd or other. Set it to bsd if
# your system supports the "-v" flag. If you are not sure, set it to other.
if [ $system = bsd ]
dirdate=`date -v -1d "+%m-%d-%y"`
olddirdate=`date -v -8d "+%m-%d-%y"`
elif [ $system = other ]
yesterday=`expr \`date "+%d"\` - 1`
eightday=`expr \`date "+%d"\` - 8`
# Create the Dir for todays logs.
if [ ! -d $weeklogs/$dirdate ]
# Move the log files into todays log dir. This is done with
# a for loop right now, because I am afriad that if alot is
# logged there may be to many items to move with a "mv *"
# type command. There may a better way to do this, but I don't
# know it yet.
for logitem in `ls $logdir` ; do
mv $logdir/$logitem $weeklogs/$dirdate
# Kill and restart snort now that the log files are moved.
kill `cat /var/run/snort_fxp0.pid`
# Restart snort in the correct way for you
/usr/local/bin/snort -i fxp0 -d -D -h homeiprange/28 -l /usr/snort/log \
-c /usr/snort/etc/08292k.rules > /dev/null 2>&1
# Delete any uncompressed log files that over a week old.
if [ -d $weeklogs/$olddirdate ]
rm -r $weeklogs/$olddirdate
# Compress and save the log files to save for as long as you want.
# This is done in a sub-shell because we change dirs, and I don't want
# to do that within the shell that the script runs in.
(cd $weeklogs; tar zcvf $oldlogs/$dirdate.tgz $dirdate > /dev/null 2>&1)
# Mail out the log files for today.
cat $weeklogs/$dirdate/snort.alert | mail -s "Snort logs" you at ...558...
cat $weeklogs/$dirdate/snort_portscan.log | mail -s "Snort portscan logs" you at ...558...
More information about the Snort-users