[Snort-users] Snort Logs

Keaton, Lindamaria LKeaton at ...10093...
Wed Sep 17 11:37:10 EDT 2003


How will a new file generate? How I see this, it will kill snort but not
restart it. Will I then have to reboot the system, in order for a new
alert file to generate. Is that correct, or am I completely wrong?

This is what I'm trying to accomplish. I want the alert file to either
compress and move to a different directory, but then start a new alert
file without kill snort. Is there a way to do this?

-----Original Message-----
From: Demetri Mouratis [mailto:dmourati at ...3877...] 
Sent: Wednesday, September 17, 2003 11:32 AM
To: Keaton, Lindamaria
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort Logs



On Wed, 17 Sep 2003, Keaton, Lindamaria wrote:

> Hello,
>
> I'm running snort 2.0 on Linux 9.0. Does anyone know how to rotate 
> /var/log/snort/alert when it reaches certain size?
>
You could use logrotate with the size option for this.

       "/var/log/snort/alert" {
           rotate 30
           size=100k
	   postrotate
				kill -HUP `pidof /usr/local/bin/snort`
	   endscript
       }

And upgrade to snort 2.0.1 while you are at it.
---------------------------------------------------------------------
Demetri Mouratis
dmourati at ...3878...





More information about the Snort-users mailing list