[Snort-users] 2GB limit on alert log

Aaron snort at ...10572...
Wed Jul 21 12:03:01 EDT 2004


Has anyone found a good procedure for getting past the 2GB 
limit on snorts alert log?

Before anyone suggests this, the problem is not a 
filesystem imposed limit.  On the same fs, I have other 
apps dumping 20-50GB files daily.

At 2GB, snort exits.  If started in fg, it complains file 
is too big.

I tried recompiling libpcap with -D_FILE_OFFSET_BITS=64 
and -D_LARGEFILE_SOURCE but that did not seem to help.

I searched for articles pertaining to this but everyone I 
have seen answer seems to think in the direction of fs 
limitations.

My logs easily grow to this size within a week and minimal 
logging enabled so I have to find a way around this and 
putting in more sensors is not an option.  I have several 
heavily populated /17's behind this sensor and that is not 
going to change.  

I would prefer not to sighup and rename every week. 
 Keeping the data in one contiguous file is much prefered.

MySQL is not an option either.  I kicked that beeotch to 
the curb some time ago.  Flat files, shell scripts and 
snortalog are the only sensible way to go for me.  : - )





More information about the Snort-users mailing list