[Snort-users] solved: snort dies under RH7

dave w capella dave.capella at ...1712...
Sat Apr 7 00:12:36 EDT 2001

Something to consider for future RPM's, perhaps...

snort was dying on my logging station (RH7) at odd intervals,
and w/o any error indications in logs or as core files.

found the cause to be redhat's logrotate cron job.

cron runs everything in the /etc/cron.daily directory on a daily
basis. one after the other, so not necessarily at a specific time.
one of the scripts in that directory is logrotate.

a related note: the default snort config syslog's to auth.alert
which, on this box, meant that alerts went to /var/log/secure,
not /var/log/messages. i *think* that's the default RH 6.2, 7

apparently, when logrotate moved the log, it restarted syslog,
but if snort was trying to write to the log at that time, it
just quit.

my fix: change snort to local3.alert, send to /var/log/snort/alert,
added separate config for logrotate:

diff -r1.2 syslog.conf
< *.info;mail.none;news.none;authpriv.none;		/var/log/messages
> *.info;mail.none;news.none;authpriv.none;local6.none	/var/log/messages
> local6.alert								/var/log/snort/alert

# cat /etc/logrotate.d/snort
/var/log/snort/log {
    /etc/init.d/snort stop
    /etc/init.d/snort start
	create 664 snort snort


dave w capella            |  http://capella.ithaca.ny.us/
Systems Administrator     |  mailto:dave.capella at ...1712...  
Department of Biometrics  |  http://www.biom.cornell.edu/
Cornell University        |  (607) 255-9847
PGP Key                   |  http://capella.ithaca.ny.us/pgpkey.txt
        It's kind of fun to do the impossible.- Disney 

More information about the Snort-users mailing list