[Snort-users] Log Rotation

Keaton, Lindamaria LKeaton at ...10093...
Fri Dec 5 10:30:02 EST 2003

I get the following error message. Any ideas? By the way I am running
this on Linux.

# /etc/init.d/snort restart
/etc/init.d/snort: line 1: /var/log/snort//2003-12-05: No such file or
/etc/init.d/snort: line 1: /var/log/snort//2003-12-05: No such file or
Stoping Intrusion Database System: SNORT
/etc/init.d/snort: line 1: /var/log/snort//2003-12-05: No such file or
Starting Intrusion Database System: SNORT
SNORT is up and running!

-----Original Message-----
From: JP Vossen [mailto:vossenjp at ...8683...] 
Sent: Thursday, December 04, 2003 8:43 PM
To: snort-users at lists.sourceforge.net
Cc: Keaton, Lindamaria
Subject: Re: [Snort-users] Log Rotation

> Date: Thu, 4 Dec 2003 12:46:05 -0800
> From: "Keaton, Lindamaria" <LKeaton at ...10093...>
> To: <snort-users at lists.sourceforge.net>
> Subject: [Snort-users] Log Rotation
> Hello everyone. I'm trying to configure snort to rotate logs into a
> specific directory either every night and then have snort restart it's
> service. Right now I have a configuration setup that is sort of
> but it's not every night or when it reaches a certain limit.


> Plus this configuration does not restart the service.  I have to
> the server every morning to get snort running again.

WHAT?!?  Are you INSANE?  Please tell me you meant restart the service
and not
reboot the server!!!  What is this, Windows?  (I'm assuming you are not
to get logrotate to work on Windows.) <big grin>

OK, seriously, I went a rather different route (on Linux, Red Hat 8,
just to
be clear).  My /etc/init.d/snortd has something like the following:

        # Log everything in a dated directory
        TheDate=`/bin/date '+%Y-%m-%d'`
        if [ ! -d /var/log/snort/${SNORTNAME}/${TheDate} ]; then
                /bin/mkdir -p /var/log/snort/${SNORTNAME}/${TheDate}

        # Actually start snort, with our options
        daemon /usr/sbin/${SNORTNAME} -D -i $INTERFACE \
		-c /etc/${SNORTNAME}/snort.conf \
                -l /var/log/snort/${SNORTNAME}/${TheDate} -b ${BPFFILE}

Then my crontab has something like:
	# Restart Snort to use new Log Dir
	01 00 * * * /etc/rc.d/init.d/snortd restart

So every night at 1 minute after midnight cron restarts Snort.  This a)
activates any config or rules changes I may have made (though if I screw
up and Snort fails to actually start that's a Bad Thing), and b) starts
logging to a dated directory.  That has been working very well for me,
I have a small environment.

JP Vossen, CISSP              |:::======|
My Account, My Opinions       |=========|
You used to have to reboot the Windows 9.x series every couple of days
because it would crash.  Now you have to reboot Windows 200x or XP every
couple of days because of a patch.  How is that better or more stable?

This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for
Free Linux Tutorials.  Learn everything from the bash shell to sys
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list