[Snort-users] Snortdb against MySQL

Neil Dickey neil at ...1633...
Thu Mar 22 10:11:01 EST 2001


There was a request to see a copy of the script I wrote
to roll over Snort logs, so here it is along with some
explanatory material I wrote to go with it.  It isn't
just for Snort, of course, but will work with any sort
of log files you may have to deal with.  You can use a
'case' structure with 'uname -n' to tailor variables
according to the particular machine, and run it from an
NFS-mounted filesystem to service logfiles on more than
one computer with the same script.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115

-------------------------------------------------------------------------

#!/sbin/sh
#
# Script designed to roll over commonly used Snort logs, and
# restart the daemon.  Be sure to make the changes indicated
# by the comments before attempting to run the script.
#
# NDJr 02/20/01
#

BIN=/usr/bin

# Set LBIN to the path to your favorite file compression
# program.  I use 'gzip'.

LBIN=/usr/local/bin

# Set PID and LOGROOT to the paths valid on your machine.

PID=`$BIN/cat /path/to/snort_Xe0.pid`
LOGROOT=/your/Snort/logdir

rollover() {
  test -f $1.4.gz && mv $1.4.gz  $1.5.gz
  test -f $1.3.gz && mv $1.3.gz  $1.4.gz
  test -f $1.2.gz && mv $1.2.gz  $1.3.gz
  test -f $1.1.gz && mv $1.1.gz  $1.2.gz
  test -f $1.0.gz && mv $1.0.gz  $1.1.gz
  test -f $1 && mv $1 $1.0
  touch $1 
  chgrp root $1
  chmod 660 $1
}

cleanup() {
  PID=
  LOGROOT=
  BIN=
  LBIN=
}

# Edit the arguments to the 'for' loop to reflect the
# log files you wish to roll over.  On my system, I
# roll over the three files listed.  If you don't have
# 'gzip' then change the line with 'gzip' in it to use
# the file compression program you have.

for i in alert snort_portscan.log MAIL
do
  if [ -s $LOGROOT/$i ]; then
    rollover $LOGROOT/$i
  fi
  if [ -s $LOGROOT/$i.0 ]
  then
    $LBIN/gzip $LOGROOT/$i.0
  fi
done

$BIN/kill -HUP $PID

cleanup












More information about the Snort-users mailing list