[Snort-users] 2GB limit on alert log
snort at ...10572...
Wed Jul 21 12:03:01 EDT 2004
Has anyone found a good procedure for getting past the 2GB
limit on snorts alert log?
Before anyone suggests this, the problem is not a
filesystem imposed limit. On the same fs, I have other
apps dumping 20-50GB files daily.
At 2GB, snort exits. If started in fg, it complains file
is too big.
I tried recompiling libpcap with -D_FILE_OFFSET_BITS=64
and -D_LARGEFILE_SOURCE but that did not seem to help.
I searched for articles pertaining to this but everyone I
have seen answer seems to think in the direction of fs
My logs easily grow to this size within a week and minimal
logging enabled so I have to find a way around this and
putting in more sensors is not an option. I have several
heavily populated /17's behind this sensor and that is not
going to change.
I would prefer not to sighup and rename every week.
Keeping the data in one contiguous file is much prefered.
MySQL is not an option either. I kicked that beeotch to
the curb some time ago. Flat files, shell scripts and
snortalog are the only sensible way to go for me. : - )
More information about the Snort-users