[Snort-users] Log Rotation

JP Vossen vossenjp at ...8683...
Fri Dec 5 11:27:12 EST 2003


On Fri, 5 Dec 2003, Keaton, Lindamaria wrote:

> I get the following error message. Any ideas? By the way I am running
> this on Linux.
>
> # /etc/init.d/snort restart
> /etc/init.d/snort: line 1: /var/log/snort//2003-12-05: No such file or
> directory
> /etc/init.d/snort: line 1: /var/log/snort//2003-12-05: No such file or
> directory
> Stoping Intrusion Database System: SNORT
> .
> /etc/init.d/snort: line 1: /var/log/snort//2003-12-05: No such file or
> directory
> Starting Intrusion Database System: SNORT
> SNORT is up and running!

The symptom is that Snort can't find the log directory. Sorry about that.  I
assumed you would remove the non-relevant parts from the code before using it.
I run more than one instance of Snort, so there is an extra variable called
${SNORTNAME} in there.  That is causing the '//' in 'snort//2003' above.  I
suspect that is the root cause of the problem.

Here is a better /etc/init.d/snortd fragment (NOT TESTED) with more comments:

        # Log everything in a dated directory
	# Get the date (have to run this after midnight)
        TheDate=`/bin/date '+%Y-%m-%d'`
	# Create the new dated directory if it does not exist
        if [ ! -d /var/log/snort/${TheDate} ]; then
                /bin/mkdir -p /var/log/snort/${TheDate}
        fi

        # Actually start snort, with our options
        daemon /usr/sbin/snort -D -i $INTERFACE \
		-c /etc/snort.conf \
                -l /var/log/snort/${TheDate} -b ${BPFFILE}

Later,
JP
------------------------------|:::======|--------------------------------
JP Vossen, CISSP              |:::======|         jp{at}jpsdomain{dot}org
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
------------------------------|=========|--------------------------------
You used to have to reboot the Windows 9.x series every couple of days
because it would crash.  Now you have to reboot Windows 200x or XP every
couple of days because of a patch.  How is that better or more stable?





More information about the Snort-users mailing list