[Snort-users] solved: snort dies under RH7
dave w capella
dave.capella at ...1712...
Sat Apr 7 00:12:36 EDT 2001
Something to consider for future RPM's, perhaps...
snort was dying on my logging station (RH7) at odd intervals,
and w/o any error indications in logs or as core files.
found the cause to be redhat's logrotate cron job.
cron runs everything in the /etc/cron.daily directory on a daily
basis. one after the other, so not necessarily at a specific time.
one of the scripts in that directory is logrotate.
a related note: the default snort config syslog's to auth.alert
which, on this box, meant that alerts went to /var/log/secure,
not /var/log/messages. i *think* that's the default RH 6.2, 7
apparently, when logrotate moved the log, it restarted syslog,
but if snort was trying to write to the log at that time, it
my fix: change snort to local3.alert, send to /var/log/snort/alert,
added separate config for logrotate:
diff -r1.2 syslog.conf
< *.info;mail.none;news.none;authpriv.none; /var/log/messages
> *.info;mail.none;news.none;authpriv.none;local6.none /var/log/messages
> local6.alert /var/log/snort/alert
# cat /etc/logrotate.d/snort
create 664 snort snort
dave w capella | http://capella.ithaca.ny.us/
Systems Administrator | mailto:dave.capella at ...1712...
Department of Biometrics | http://www.biom.cornell.edu/
Cornell University | (607) 255-9847
PGP Key | http://capella.ithaca.ny.us/pgpkey.txt
It's kind of fun to do the impossible.- Disney
More information about the Snort-users