[Snort-users] Please mommy... make the bad man stop!
rob at ...1932...
Wed Mar 6 11:26:25 EST 2002
On Wed, 2002-03-06 at 13:02, Erek Adams wrote:
> On Wed, 6 Mar 2002, Erek Adams wrote:
> > On 6 Mar 2002, Rob Hughes wrote:
> > > Here's the deal. Until some cvs update a few months ago, snort happily
> > > logged /var/log/snort/snort.log. Then it started prepending a time/date
> > > stamp onto the files, neatly removing my ability to do log rotate jobs
> > > since the files now have unpredictable names. This is the only logging
> > > entry:
> > >
> > > output log_tcpdump: snort.log
> > >
> > > I'm currently running 1.8.4-beta2 on FreeBSD 4.5-STABLE. I've looked
> > > through the code, but can't figure it why its doing this.
> > >
> > > HALP! This is driving me nuts.
> > Whoopsy, I hit send before I was ready! :)
> > Lemme dig thru the code and see what comes up. I'm headed to bed now. :)
> Note to self: Don't try to write email whilst sleep deprived.
> [line numbers might be off slightly since this is a CVS version...]
> If you have a look in log.c at about line 2549, you'll see the start
> of InitBinLogFile. Going down into that a bit, you'll see a some lines (2560
> and 2581) that look like:
> strftime(timebuf, TIMEBUF_SIZE-1, "%m%d@%H%M", loc_time);
> Later in the code you see a line (2588-2589) that looks like:
> snprintf(logdir, sizeof(logdir) -1, "%s%s/snort-%s.log",
> chrootdir == NULL ? "" : chrootdir, pv.log_dir, time buf);
> That's where you'd need to change it.
> ***WARNING*** Doing this can be bad. That means you now have a one off
> version of snort and you'll need to make the same mods to each new version
> that comes out. I would suggest a simpler approach: Modify your script.
> Have it scan the directory for any *snort*.log files and then stop snort, move
> the files somewhere else with another name and then restart snort. This would
> mean that your log dir shouldn't ever have more than one .log file in it.
> Anyways--Hope this helps!
> Erek Adams
That's what I thought might be causing it, but I don't have old versions
of the code to compare to. Nuts. I've asked Martin to restore the old
way of writing the snort.log, or to add an option, since I know a new
log will get generated every day due to another log file rotation job I
have. In addition, log files will get created if I have to reboot the
machine due to running make world or something on it. Welp, thanks for
your help. At least I learned something. And it looks like its time to
write a new script.
More information about the Snort-users