[Snort-users] Updated Snort_log_rotate script

Jim jameso at ...555...
Sat Jun 2 03:55:25 EDT 2001


Well, it turns out a few people must have been using that script I
wrote..

I wrote a script called "snort_log_rotate" a while back for my use. I
shared it with the list in the hopes that some one might find it
usefull. I have changed jobs so no longer run it, and have not recived
any e-mails about the script, so I assumed so one ran it. Then, in the
last couple weeks I have been contacted by people about the script for
one reason or another.

I took some time to clean out a couple bugs that were pointed out to
me about the script, and now it should run *MUCH* better on non-BSD
based systems. There are a couple things that is now does that has not
been tested at all, so if anyone running the script wants to try this
one out and see if it works for them that would be great.

If you are running this script, send me a note. For all I know, there
are something like 4-6 people that use it. If there are more people, I
might pay attention to it. Otherwise, if no one is using it, it is not
worth the time.

-- 
Jim O'Gorman 
jameso at ...555...
-------------- next part --------------
#!/bin/sh
#
# Logfile roation script for snort writen by jameso at ...557...
#
#-------------------------------------------------------------
# Sat Jun  2 02:04:23 C 2001
#
# When I first wrote this script, I wrote it for a place that I
# was working for at the time. I have moved on from then and had
# pretty much forgot about this script. I was not running it
# myself, and I had no reason to think anyone else was either,
# as I never recived any e-mail about it.
#
# Then, these last couple weeks I have had four separate people
# contact me with problems with the script. I thought I would 
# point out a couple things in the intro here, and update a
# couple problems that were pointed out to me having to do with
# the way I was dealing with date on non-BSD systems.
#
# You cannot just plop this script in and expect it to run. There
# is a fair number of items you have to change first. And, like the
# mean guy I am, the items you need to edit are not grouped together.
# You really do have to read through the comments scattered about
# the script and figure out what you do and do not need to change.
# It is really not hard to do, and it only needs to be done once.
#
# Other thing is, as I said before I am not running this script
# right now, as of this writing. Therefore if there is a problem
# anywhere in here, I will not see it, you will have to bring it
# to my attention. I am more then happy to help you out, and try to
# fix up what ever I did wrong in the script, but you will need to
# contact me. I am not on the snort mailling lists right now due to 
# the high volume of e-mail I allready have, you need to contact me
# direct.
#
# If you use this script, shoot me a e-mail letting me know. I did
# not think anyone was using it, therefore it was not maintained at
# all. If enough people use this, I will re-write it to be alot
# cleaner. Right not it is pretty nasty for people new to
# snort/unix/whatever. There is alot I could do better, but I am not
# going to take the time if no one is going to benifit from it.
# 
# Thanks, Jim <jameso at ...555...>
#-------------------------------------------------------------
# 
# 
# This script is pretty basic. We start out by setting some vars.
# Its job is tho rotate the days logfiles, e-mail you with what 
# it logged, keep one weeks worth of uncompressed logs, and also
# keep compressed tgz files of all the logs. It is made to be run
# at midnight everynight. This script expects you to have a base
# dir that you keep all of your logs, rule sets etc in. You can 
# see what sub dirs it expects from looking at the var settings
# below.
# 
# Things to note in this script is that we run this script at 12 
# every night, so we want to set the dirdate var the day the script
# runs minus a day so we label the files with the correct day. We
# Then create a dir for the days logs, move the log files into 
# todays dir. As soon as that is done restart snort so we don't miss
# anything. Then delete any logs that are uncompressed and over a
# week old. Then compress out todays logs and archive them away, and
# end up by mailling out the logs to you.
#

# Define where you have the base of your snort install

snortbase=/usr/snort

# Define other vars
# logdir   - Where the logs are kept
# oldlogs  - Where you want the archived .tgz logs kept
# weeklogs - This is where you want to keep a weeks worth of log files uncompressed
# dirdate  - Todays Date in Month - Day - Year format
# olddirdate - Todays date in the same format as dirdate, minus a week

logdir=$snortbase/log
oldlogs=$snortbase/oldlogs
weeklogs=$snortbase/weeklogs

# When I first wrote this script, I only ran it on BSD systems. That was a
# mistake, as BSD systems have a date command that apperently lets you walk the
# date back pretty easily. Well, some systems don't have this feature, so I had
# to change the way that dates are done in here. I left in the old way, because
# it is cleaner, and I added in a new way that should be portable. If anyone
# has any problems, just let me know and I will try to fix it.
#
# You have to change the system var to either bsd or other. Set it to bsd if
# your system supports the "-v" flag. If you are not sure, set it to other.

system=bsd

if [ $system = bsd ]
then
	dirdate=`date -v -1d "+%m-%d-%y"`
	olddirdate=`date -v -8d "+%m-%d-%y"`
elif [ $system = other ]
then
	month=`date "+%m"`
	year=`date "+%y"`

# This is pretty dirty, but it is the best way I was able to come up
# with to walk the date back. You can let me know if you have a better
# idea. For now you have to change "CST" to read your correct timezone.

	yesterday=`TZ=CST+24 date "+%d"`

	dirdate=$month-$yesterday-$year
fi


# Create the Dir for todays logs.

if [ ! -d $weeklogs/$dirdate ]
then
	mkdir $weeklogs/$dirdate
fi

# Move the log files into todays log dir. This is done with
# a for loop right now, because I am afriad that if alot is
# logged there may be to many items to move with a "mv *"
# type command. There may a better way to do this, but I don't
# know it yet.

for logitem in `ls $logdir` ; do
	mv $logdir/$logitem $weeklogs/$dirdate
done

# Kill and restart snort now that the log files are moved.

kill `cat /var/run/snort_fxp0.pid`

# Restart snort in the correct way for you

/usr/local/bin/snort -i fxp0 -d -D -h homeiprange/28 -l /usr/snort/log \
 -c /usr/snort/etc/08292k.rules > /dev/null 2>&1

# Delete any uncompressed log files that over a week old.

if [ $system = bsd ]
then
	if [ -d $weeklogs/$olddirdate ]
	then
		rm -r $weeklogs/$olddirdate
	fi
elif [ $system = other ]
then

# This here, well, I never tested this. I think it will work, but
# I don't know anyone that is running snort with this script sooo..
# Like I said, I think this will work, but I never tested it. Please,
# let me know if you have any problems with this.

	`find $weeklogs -type f -ctime +8 -exec rm {} \`;  
	`find $weeklogs -type d -ctime +8 -exec rmdir {} \`;
fi

# Compress and save the log files to save for as long as you want.
# This is done in a sub-shell because we change dirs, and I don't want 
# to do that within the shell that the script runs in.

(cd $weeklogs; tar zcvf $oldlogs/$dirdate.tgz $dirdate > /dev/null 2>&1)

# Mail out the log files for today.

cat $weeklogs/$dirdate/snort.alert | mail -s "Snort logs" you at ...558...
cat $weeklogs/$dirdate/snort_portscan.log | mail -s "Snort portscan logs" you at ...558...




More information about the Snort-users mailing list