[Snort-users] Help with tcpdump log rotation

Rob Hughes rob at ...1932...
Fri May 10 13:50:02 EDT 2002


On Fri, 2002-05-10 at 13:56, Erek Adams wrote:
> On 9 May 2002, Rob Hughes wrote:
> 
> > Thanks. I have something like this in place now. If you look at the
> > functionality of newsyslog, that's what I'm trying to accomplish.
> > Newsyslog allows you to specify a file size, time, etc. to determine
> > when it should to the rotation, as well as how many saved logs to keep.
> > That's what I'm having trouble with, since I don't seem to be able to
> > figure out how to make it work the way I want. I may end up having to
> > learn perl or something, if I can't get this going in shell.
> 
> Guys, you could make your life a bit simpler....  :)  In snort.c:
> 
>     968             case 'L':  /* set BinLogFile name */> -----
> Erek Adams
> Nifty-Type-Guy
> TheAdamsFamily.Net
> 

>     969                 /* implies tcpdump format logging */
>     970                 if (strlen(optarg) < 256)
>     971                 {
>     972                     pv.binLogFile = strdup(optarg);
>     973                     pv.logbin_flag = 1;
>     974                     pv.log_cmd_override = 1;
>     975                 }
>     976                 else
>     977                 {
>     978                     FatalError("ERROR =>ParseCmdLine, log file: %s, >
> than 256 characters\n",
>     979                             optarg);
>     980                 }
>     981                 break;
> 
> Ok, granted:  It's undocumented and therefore 'unsupported' and therefore
> 'subject to future change', but it would do what you want.
> 
> Cheers!
> 

Thanks Eric. Long time ago, when snort was coring on my constantly, I
was told not to use the -L parameter on the command line, but instead to
do it through the conf file. Sure enough, snort stopped coring on me.
We'll see how it works now. I still don't see the value of stamping the
date/time in the file name though. It's much easier for me to just look
at the file creation time on a gzip file and say "oh, that's yesterday's
tcpdump file and that's the one I want to examine." File names like
"snort-0504 at ...5813..." aren't making my life any easier, because I don't
*care* when the file was created. I want to know when the logging in a
given file *ended*, which my way does for me. But especially, it makes
log maintenance easier, as I back this box up once a week which gets me
archives of old logs before they're deleted (backups every 7, keep 8
days of logs).





More information about the Snort-users mailing list