[Snort-users] Archiving Snort logs

Paul Schmehl pschmehl_lists at ...14358...
Thu Feb 25 00:12:02 EST 2010


Not trying to be a smartass, but you have heard of syslog, right?

vi /etc/newsyslog.conf and add

/var/log/snort/snort.u2.*  660 100 * @T00  BG /var/run/snort/snort_eth0.pid

Please don't copy the example.  Read the man page.

--On February 24, 2010 3:20:18 PM +0000 "Sharma, Ashish" 
<ashish.sharma3 at ...6440...> wrote:

> Joel,
>
> Ok I got the point.
>
> There are plenty of approaches to archive DB files.
>
> Here I want to know how can I clean up 'snort.log' files automatically
> that keep on growing in a production system without much admin
> interference.
>
> Thanks in advance
> Ashish Sharma
>
> -----Original Message-----
> From: Joel Esler [mailto:jesler at ...1935...]
> Sent: Tuesday, February 23, 2010 8:38 PM
> To: firnsy
> Cc: Sharma, Ashish; Snort Users List
> Subject: Re: [Snort-users] Archiving Snort logs
>
> On Feb 23, 2010, at 5:21 AM, firnsy wrote:
>
>> On Tue, 2010-02-23 at 08:47 +0000, Sharma, Ashish wrote:
>>
>>> Here I want to know, Is the 'Barnyard2' also cleaning up the snort
>>> logs?
>>>
>>
>> No, it doesn't. Barnyard2 is only parsing the snort unified log files.
>
> Although you could save the unified files and read them back into the db
> at a later time if you wanted to with barnyard2.  As for cleaning up the
> DB, I think there is a script that can clean up the db.
>
> If you Google "snort db cleanup" many sites come up, however, this one
> popped out at me.  Might give it a shot.
>
> http://www.perlmonks.org/?node_id=247926
>
>
> --
> Joel Esler
> 302-223-5974
>
>
>
>
>
>
> ------------------------------------------------------------------------
> ------ Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



Paul Schmehl, If it isn't already
obvious, my opinions are my own
and not those of my employer.
******************************************
WARNING: Check the headers before replying





More information about the Snort-users mailing list