[Snort-users] Log Rotation

Erek Adams erek at ...577...
Tue Oct 2 13:25:02 EDT 2001

On Tue, 2 Oct 2001, DeBerry, Casey wrote:

> Running snort 1.8 on solaris 7. In the past, using linux, have had success
> with log-rotate script.. but it used the gcc date function to call previous
> days date.. ie:
> PAST=`date --date='1 day ago' +%b%d_%Y
> This ran as a cron job at 12:01 am and worked great. Solaris however, does
> not use gcc date.. I guess I could run my own bits, but thought there was
> something out there that might be a little bit more elegant.

Simpler perhaps is the following:


#! /bin/sh
DATE=`/usr/bin/date +%m-%d-%y`
if test -d $LOGDIR
        cd $LOGDIR
        if test -s $LOG
                mv $LOG    $LOG.$DATE
                cp /dev/null $LOG
                chmod 644    $LOG
                sleep 10
kill -HUP `cat /var/run/snort.le0`
/usr/bin/cat $LOG.$DATE | /local/snort/snort_stat.pl | /usr/lib/sendmail root


And I just run it at 23:59.  ;-)

> I need to run snort in a distributed environment, and thought plugging to
> a database would create too much overhead. Mabye ACID? Anyone have ideas
> or input.

Not unless you are really pounding your link.  Drop a backend net onto each
sensor, log over the admin backend for DB and Normal alerts.  Of course,
that's _never_ been done.  *innocent look*

Hope that helps!

Erek Adams

