[Snort-users] Help with tcpdump log rotation

Rob Hughes rob at ...1932...
Fri May 3 09:17:08 EDT 2002


Ok... I admit it... I'm not bright enough to figure this out. Since
snort now logs in tcpdump format with the date at ...5773...  or
snort-date at ...5774... (depending on whether you specify tcpdump format
from the command line or from the snort.conf file) format, I can't find
a log rotation daemon that supports regex for file names, so, I'm trying
to write a script to do it. However, I can't figure out how to get the
bloody thing to work reliably. I'm hoping that someone on here with more
experience scripting (most of you) can either point me somewhere I can
look at an example, or already has a script that does this. Otherwise,
the only choice I can see is just turning off the binary logging, which
I'd really rather not do, but I also don't want my var slice filling up
any more, which seems to happen every time I go out of town.

What would be even nicer, IMO, would be to make adding the date and time
an option, rather than hard coding it into log.c. I still fail to see
the value in doing this, since I (although I realize others don't) bzip
the log with the date and time the log was archived. Or at least I used
to.







More information about the Snort-users mailing list