[Snort-users] Log Rotation

JP Vossen vossenjp at ...8683...
Thu Dec 4 20:44:01 EST 2003


> Date: Thu, 4 Dec 2003 12:46:05 -0800
> From: "Keaton, Lindamaria" <LKeaton at ...10093...>
> To: <snort-users at lists.sourceforge.net>
> Subject: [Snort-users] Log Rotation
>
> Hello everyone. I'm trying to configure snort to rotate logs into a
> specific directory either every night and then have snort restart it's
> service. Right now I have a configuration setup that is sort of working
> but it's not every night or when it reaches a certain limit.

<snip>

> Plus this configuration does not restart the service.  I have to reboot
> the server every morning to get snort running again.

WHAT?!?  Are you INSANE?  Please tell me you meant restart the service and not
reboot the server!!!  What is this, Windows?  (I'm assuming you are not trying
to get logrotate to work on Windows.) <big grin>


OK, seriously, I went a rather different route (on Linux, Red Hat 8, just to
be clear).  My /etc/init.d/snortd has something like the following:

        # Log everything in a dated directory
        TheDate=`/bin/date '+%Y-%m-%d'`
        if [ ! -d /var/log/snort/${SNORTNAME}/${TheDate} ]; then
                /bin/mkdir -p /var/log/snort/${SNORTNAME}/${TheDate}
        fi

        # Actually start snort, with our options
        daemon /usr/sbin/${SNORTNAME} -D -i $INTERFACE \
		-c /etc/${SNORTNAME}/snort.conf \
                -l /var/log/snort/${SNORTNAME}/${TheDate} -b ${BPFFILE}

Then my crontab has something like:
	# Restart Snort to use new Log Dir
	01 00 * * * /etc/rc.d/init.d/snortd restart

So every night at 1 minute after midnight cron restarts Snort.  This a)
activates any config or rules changes I may have made (though if I screw them
up and Snort fails to actually start that's a Bad Thing), and b) starts
logging to a dated directory.  That has been working very well for me, though
I have a small environment.

YMMV,
JP
------------------------------|:::======|--------------------------------
JP Vossen, CISSP              |:::======|         jp{at}jpsdomain{dot}org
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
------------------------------|=========|--------------------------------
You used to have to reboot the Windows 9.x series every couple of days
because it would crash.  Now you have to reboot Windows 200x or XP every
couple of days because of a patch.  How is that better or more stable?





More information about the Snort-users mailing list