[Snort-users] Help with tcpdump log rotation

John Sage jsage at ...2022...
Sat May 11 07:18:02 EDT 2002


On Fri, May 10, 2002 at 03:54:43PM -0500, Rob Hughes wrote:
> On Fri, 2002-05-10 at 13:56, Erek Adams wrote:
> > On 9 May 2002, Rob Hughes wrote:

<snippage>

> We'll see how it works now. I still don't see the value of stamping the
> date/time in the file name though. It's much easier for me to just look
> at the file creation time on a gzip file and say "oh, that's yesterday's
> tcpdump file and that's the one I want to examine." File names like
> "snort-0504 at ...5813..." aren't making my life any easier, because I don't
> *care* when the file was created. I want to know when the logging in a
> given file *ended*, which my way does for me.

um..

Given my method:

[toot at ...2057... /storage/snort/old_snorts/051002]# ls -la
total 444
drwxr-xr-x    2 jsage    jsage        4096 May 11 06:13 .
drwxr-xr-x  356 jsage    jsage        8192 May  2 07:15 ..
-rw----r-x    1 jsage    jsage        2848 May 10 12:52 alert184.full-0510 at ...5814...
-rw----r-x    1 jsage    jsage        2668 May 11 01:02 alert184.full-0510 at ...5815...
-rw----r-x    1 jsage    jsage        1712 May 10 12:52 p0f.log-0510 at ...5814...
-rw----r-x    1 jsage    jsage        1572 May 11 01:02 p0f.log-0510 at ...5815...
-rw----r-x    1 jsage    jsage      263441 May 10 15:15 snort-0510 at ...5814...
-rw----r-x    1 jsage    jsage      151214 May 11 03:25 snort-0510 at ...5815...


Packets in *-0510 at ...5816... include all those up to those received in
*-0510 at ...5815...

Actually, I've found this method to work rather well.

There's a faint awkwardness (I suppose..) when one is looking for a
packet that came in overnight, but even I've become able to figure out
which directory/file it's going to be in.


- John
-- 
Most people don't type their own logfiles;  but, what do I care?

PGP key      http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 




More information about the Snort-users mailing list