[Snort-users] Log Rotation

Erek Adams erek at ...577...
Tue Oct 2 13:25:02 EDT 2001


On Tue, 2 Oct 2001, DeBerry, Casey wrote:

> Running snort 1.8 on solaris 7. In the past, using linux, have had success
> with log-rotate script.. but it used the gcc date function to call previous
> days date.. ie:
> PAST=`date --date='1 day ago' +%b%d_%Y
> This ran as a cron job at 12:01 am and worked great. Solaris however, does
> not use gcc date.. I guess I could run my own bits, but thought there was
> something out there that might be a little bit more elegant.

Simpler perhaps is the following:

--

#! /bin/sh
#
#
DATE=`/usr/bin/date +%m-%d-%y`
LOGDIR=/var/log
LOG=authlog
if test -d $LOGDIR
then
        cd $LOGDIR
        if test -s $LOG
        then
                mv $LOG    $LOG.$DATE
                cp /dev/null $LOG
                chmod 644    $LOG
                sleep 10
        fi
fi
#
kill -HUP `cat /var/run/snort.le0`
#
/usr/bin/cat $LOG.$DATE | /local/snort/snort_stat.pl | /usr/lib/sendmail root

--

And I just run it at 23:59.  ;-)

> I need to run snort in a distributed environment, and thought plugging to
> a database would create too much overhead. Mabye ACID? Anyone have ideas
> or input.

Not unless you are really pounding your link.  Drop a backend net onto each
sensor, log over the admin backend for DB and Normal alerts.  Of course,
that's _never_ been done.  *innocent look*

Hope that helps!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list