[Snort-users] Revised log rollover script

Neil Dickey neil at ...1633...
Thu Mar 22 16:12:51 EST 2001


Gregor Binder very kindly made some suggestions to me for
improving the script I posted to the list earlier.  It is
hoped that the changes will make it easier for those less
familiar with unix to configure and run the script, as all
of the user-configurable parameters have been gathered
together and identified near the top.

I've tested it carefully, and the new version seems to work
fine.  Please let me know if you find any bugs.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115

---------------------------------------------------------------------

#!/sbin/sh
#
# Script designed to roll over commonly used Snort logs, and
# restart the daemon.  Be sure to make the changes indicated
# under "USER CONFIGURABLE PARAMETERS" before attempting to
# run the script.
#
#     NDJr 03/22/01
#

BIN=/usr/bin

# USER CONFIGURABLE PARAMETERS
#==================================================================

# Set COMPRESS to the full path and executable of your file
# compression program.  I use 'gzip'.

COMPRESS=/usr/local/bin/gzip

# Specify the appropriate paths for the PID and LOGROOT variables.
# The path in PID should include the actual name of the file which
# contains the current Snort pid.  Don't include the names of any
# actual logfiles in LOGROOT -- it's a path to a directory.

# Uncomment this PID setting and comment out the other if you do
# not wish the daemon to be reset for some reason.
#PID="noreset"

PID=`$BIN/cat /path/to/snort_Xe0.pid`
LOGROOT=/path/to/Snort/logs

# Set maximum number of past logs to save.

MAXLOGS=7

# List files to be rolled over.  The quotation marks and the spaces
# between filenames should be preserved.  The files listed are the
# ones I maintain with this script.  You can list more or fewer.

FILENAMES="alert snort_portscan.log MAIL"

#==================================================================
# YOU SHOULDN'T NEED TO ALTER ANYTHING BELOW THIS LINE.
# Many thanks to Gregor Binder for suggesting a better way to write
# the 'rollover' subroutine.

rollover() {
  LOOPCTL="$2"
  while [ "$LOOPCTL" -gt 0 ]; do
    SAVE="$LOOPCTL"
    LOOPCTL=`$BIN/expr $LOOPCTL - 1`
    [ -f "${1}.${LOOPCTL}.gz" ] && $BIN/mv "${1}.${LOOPCTL}.gz" "${1}.${SAVE}.gz"
  done

  [ -f "$1" ] && $BIN/mv "$1" "${1}.0"

  $BIN/touch $1 
  $BIN/chgrp root $1
  $BIN/chmod 660 $1
}

cleanup() {
  PID=
  LOGROOT=
  BIN=
  MAXLOGS=
  SAVE=
  COMPRESS=
  FILENAMES=
  LOOPCTL=
}

for i in $FILENAMES
do
  if [ -s $LOGROOT/$i ]; then
    rollover $LOGROOT/$i $MAXLOGS
  fi
  if [ -s $LOGROOT/$i.0 ]; then
    $COMPRESS $LOGROOT/$i.0
  fi
done

if [ "$PID" != "noreset" ]; then
  $BIN/kill -HUP $PID
fi

cleanup




More information about the Snort-users mailing list