[Snort-users] Log Rotation

brandon at ...3618... brandon at ...3618...
Wed Oct 3 07:26:08 EDT 2001


On Tue, Oct 02, 2001 at 01:24:18PM -0700, Erek Adams wrote:
> On Tue, 2 Oct 2001, DeBerry, Casey wrote:
> 
> > Running snort 1.8 on solaris 7. In the past, using linux, have had success
> > with log-rotate script.. but it used the gcc date function to call previous
> > days date.. ie:
> > PAST=`date --date='1 day ago' +%b%d_%Y
> > This ran as a cron job at 12:01 am and worked great. Solaris however, does
> > not use gcc date.. I guess I could run my own bits, but thought there was
> > something out there that might be a little bit more elegant.

I took the other approach, rather than moving yesterday's snort log
directory to yesterday's date, I just kick snort once a day and have
it lock out to a directory with the current day's date.  I have two
scripts to do this:

----------------------------------------/snort/bin/rotate (called from cron)
#!/bin/sh
# kill the old snort, launch a new one
tok="/usr/local/bin/snort -c /snort/rules/snort.conf"
pid=`ps auxw | fgrep "$tok" | awk -F' ' '{print $2}'`
for p in $pid ; do
    if [ "$p" -gt 1 ]; then
        kill $p
    fi
done

/snort/bin/launch &
----------------------------------------/snort/bin/launch
#!/bin/sh
# log to todays date

date=`date +%Y-%m-%d`
snortconf="/snort/rules/snort.conf"
snortdir=/snort/logs/$date
dev=fxp1

if [ ! -d /snort/logs/$date ]; then
    mkdir /snort/logs/$date
    touch /snort/logs/$date/alert
    /snort/bin/rotate-pigsentry
fi

#                           -b \
# -o puts pass rules first
(/usr/local/bin/snort -c $snortconf \
                           -i $dev \
                           -A full \
                           -o \
                           -X \
                           -z est \
                           -k none \
                           -l $snortdir 2>&1) >> $snortdir/snort.log &
----------------------------------------

-Brandon Gillespie




More information about the Snort-users mailing list