[Snort-users] Daemonlogger -- Response to Marty Roesch

Marty Roesch (maroesch) maroesch at ...589...
Tue Aug 4 12:06:07 EDT 2015


Thanks, I’ve been meaning to get a new release going for a while.  Maybe
this will get me off my butt and working on it again. :)

Marty

-- 
Martin Roesch
VP/Chief Architect, Security Business Group
  ,,_
o"  )~   Intelligent Cybersecurity for the Real World   . : | : . : | : .
   '''' 







On 7/28/15, 8:54 AM, "Turnbough, Bradley E." <bturnbough at ...15650...> wrote:

>Ok.  I'll get a line of script included into the init script.
>
>Thanks for all of your help!  I appreciate it.  Daemonlogger is a handy
>little tool to have in our environment.
>
>To my knowledge, I don't see anything else that needs attention.  Maybe
>an update of the param listing from the '--help' screen, but that's about
>it.
>
>Again, thank you.
>
>Brad
>
>________________________________________
>From: Marty Roesch (maroesch) [maroesch at ...589...]
>Sent: Monday, July 27, 2015 5:36 PM
>To: Turnbough, Bradley E.
>Subject: Re: Daemonlogger -- Response to Marty Roesch
>
>Ok…
>
>So, clearing logs from past runs is typically something for your startup
>script to handle.  I remember this came up in the past and that’s kind of
>where we left things.  Clearing out the logging directory before starting
>seems like a lot of code to replicate functions that shell scripts can do,
>you know? :)
>
>Sorry about the undocumented features, it is documented in the README
>file.  I’ve been finding a few things that probably could stand updating
>as I’ve been looking around in the code for DaemonLogger so maybe there
>will be a new version sooner rather than later.
>
>Assuming scripting gets the job done, are there other problems you’re
>running into?
>
>Marty
>
>--
>Martin Roesch - maroesch at ...589...
>VP/Chief Architect, Security Business Group
>   ,,_
>  o"  )~  Sourcefire ­ Now a part of Cisco   . : | : . : | : .
>   ''''
>
>
>
>
>
>
>On 7/27/15, 10:53 AM, "Turnbough, Bradley E." <bturnbough at ...15650...>
>wrote:
>
>>
>>-Z :
>>daemonlogger: invalid option -- 'Z'
>>
>>-z :
>>[-] Pruning behavior set to oldest THIS RUN
>>
>>Undocumented flags are always fun :)
>>
>>Closer, but still no solution.
>>
>>If *no* -z flag is set, I see this:
>>
>>[-] Pruning behavior set to oldest IN DIRECTORY
>>
>>
>>But, its not working as advertised.
>>
>>
>>
>>________________________________________
>>From: Marty Roesch (maroesch) [maroesch at ...589...]
>>Sent: Friday, July 24, 2015 4:19 PM
>>To: Turnbough, Bradley E.
>>Cc: snort-users at lists.sourceforge.net
>>Subject: Re: Daemonlogger -- Response to Marty Roesch
>>
>>Try the -z option and see if that helps out...
>>
>>
>>Please Sent from my iPhone
>>
>>> On Jul 24, 2015, at 4:46 PM, Turnbough, Bradley E.
>>><bturnbough at ...15650...> wrote:
>>>
>>> I think I've recreated the issue.
>>>
>>> running:
>>> daemonlogger -i p5p3 -l /var/log/daemonlogger/p5p3 -n daemonlogger-p5p3
>>>-p daemonlogger-p5p3.pid -r -m 5 -s 1g
>>>
>>> I let it run for a while.  The process was working just fine.  (5
>>>files, rotated every 1 gig)
>>>
>>> I then stopped the process by issuing a ctrl-c, and then restarted it
>>>again.
>>>
>>> Now I have more than 5 files:
>>>
>>> -rw-r--r--  1 root root 1.1G Jul 24 15:51 daemonlogger-p5p3.1437766803
>>> -rw-r--r--  1 root root 1.1G Jul 24 16:00 daemonlogger-p5p3.1437767505
>>> -rw-r--r--  1 root root 1.1G Jul 24 16:09 daemonlogger-p5p3.1437768022
>>> -rw-r--r--  1 root root 1.1G Jul 24 16:21 daemonlogger-p5p3.1437768591
>>> -rw-r--r--  1 root root 184M Jul 24 16:23 daemonlogger-p5p3.1437769280
>>> -rw-r--r--  1 root root 1.1G Jul 24 16:32 daemonlogger-p5p3.1437769403
>>> -rw-r--r--  1 root root 420M Jul 24 16:37 daemonlogger-p5p3.1437769947
>>>
>>> I have some scripts that stop the snort / barnyard / daemonlogger
>>>processes every night.  They're all restarted again once backups are
>>>finished and whatnot.
>>>
>>> I believe this is why I have so many extra files hanging around.  I
>>>don't believe the program should work this way, but I can't say for
>>>cartain, as you wrote it  :)  I would think that the program would load
>>>the filenames into in array and drop the first one off of the list,
>>>regardless of whether it actually wrote out the file during its
>>>invocation.
>>>
>>> Thoughts?
>>>
>>>
>>> ________________________________________
>>> From: Marty Roesch (maroesch) [maroesch at ...589...]
>>> Sent: Friday, July 24, 2015 2:27 PM
>>> To: Turnbough, Bradley E.; snort-users at lists.sourceforge.net
>>> Subject: Re: Daemonlogger -- Response to Marty Roesch
>>>
>>> In theory it shouldn’t make a difference, let it run and see if there’s
>>>a
>>> difference in fact.  It used to work when 1.2.1 was released but I
>>>haven’t
>>> done tech support thing for my own OSS in a while so maybe something is
>>> broken on newer systems and I need to dig into it a little deeper and
>>>see
>>> what’s going on.
>>>
>>> Let me know if it prunes properly now that the size limiter is working.
>>>
>>> --
>>> Martin Roesch - maroesch at ...589...
>>> VP/Chief Architect, Security Business Group
>>>   ,,_
>>>  o"  )~  Sourcefire ­ Now a part of Cisco   . : | : . : | : .
>>>   ''''
>>>
>>>
>>>
>>>
>>>
>>>
>>>> On 7/24/15, 3:19 PM, "Turnbough, Bradley E." <bturnbough at ...15650...>
>>>>wrote:
>>>>
>>>> That's what I was thinking as well.  Yes, x86_64
>>>>
>>>> uname -a:
>>>> Linux awidssen01 2.6.32-431.23.3.el6.x86_64 #1 SMP Thu Jul 31 17:20:51
>>>> UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
>>>>
>>>> Running this:
>>>> daemonlogger -i p5p3 -l /var/log/daemonlogger/p5p3 -n
>>>>daemonlogger-p5p3
>>>> -p daemonlogger-p5p3.pid -r -m 5 -s 1g
>>>>
>>>>
>>>> Produced this:
>>>> [-] Interface set to p5p3
>>>> [-] Logpath set to /var/log/daemonlogger/p5p3
>>>> [-] Max files to write set to 5
>>>> [-] Log filename set to "daemonlogger-p5p3"
>>>> [-] Pidfile configured to "daemonlogger-p5p3.pid"
>>>> [-] Pidpath configured to "/var/run"
>>>> [-] Ringbuffer active
>>>> [-] Rollover configured for 1 gigabytes
>>>> [-] Rollover configured for 0 none
>>>> [-] Pruning behavior set to oldest IN DIRECTORY
>>>>
>>>> -*> DaemonLogger <*-
>>>> Version 1.2.1
>>>> By Martin Roesch
>>>> (C) Copyright 2006-2007 Sourcefire Inc., All rights reserved
>>>>
>>>> Checking partition stats for log directory
>>>>"/var/log/daemonlogger/p5p3/."
>>>> sniffing on interface p5p3
>>>> start_sniffing() device p5p3 network lookup:    p5p3: no IPv4 address
>>>> assigned
>>>>
>>>>
>>>> It appears to be working (as I'm seeing files broken at 1gig marks),
>>>>but
>>>> the problem I was having before was that the files weren't being
>>>>purged
>>>> as they should.  The initial message I sent out stated I had 156+
>>>>(1gig)
>>>> files.
>>>>
>>>> Would the flags "-s 1g" / "-s 1000000000" make a difference
>>>>functionality
>>>> wise?
>>>> ________________________________________
>>>> From: Marty Roesch (maroesch) [maroesch at ...589...]
>>>> Sent: Friday, July 24, 2015 2:03 PM
>>>> To: Turnbough, Bradley E.; snort-users at lists.sourceforge.net
>>>> Subject: Re: Daemonlogger -- Response to Marty Roesch
>>>>
>>>> Well there’s your problem right there.  Looks like there’s some sort
>>>>of
>>>> signage/wraparound issue going on.  Is this on x86?
>>>>
>>>> Try
>>>>
>>>> daemonlogger -i p5p3 -l /var/log/daemonlogger/p5p3 -n
>>>>daemonlogger-p5p3 -p
>>>> daemonlogger-p5p3.pid -r -m 5 -s 1g
>>>>
>>>>
>>>> And send me the runtime output from that run.
>>>>
>>>>
>>>> --
>>>> Martin Roesch - maroesch at ...589...
>>>> VP/Chief Architect, Security Business Group
>>>>  ,,_
>>>> o"  )~  Sourcefire ­ Now a part of Cisco   . : | : . : | : .
>>>>  ''''
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On 7/24/15, 2:55 PM, "Turnbough, Bradley E." <bturnbough at ...15650...>
>>>> wrote:
>>>>
>>>>> cat /etc/centos-release:
>>>>> CentOS release 6.5 (Final)
>>>>>
>>>>> Running this:
>>>>> daemonlogger -i p5p3 -l /var/log/daemonlogger/p5p3 -n
>>>>>daemonlogger-p5p3
>>>>> -p daemonlogger-p5p3.pid -r -m 5
>>>>>
>>>>> Produced this:
>>>>> [-] Interface set to p5p3
>>>>> [-] Logpath set to /var/log/daemonlogger/p5p3
>>>>> [-] Max files to write set to 5
>>>>> [-] Log filename set to "daemonlogger-p5p3"
>>>>> [-] Pidfile configured to "daemonlogger-p5p3.pid"
>>>>> [-] Pidpath configured to "/var/run"
>>>>> [-] Ringbuffer active
>>>>> [-] Rollover size set to 18446744071562067968 bytes
>>>>> [-] Rollover time configured for 0 seconds
>>>>> [-] Pruning behavior set to oldest IN DIRECTORY
>>>>>
>>>>> -*> DaemonLogger <*-
>>>>> Version 1.2.1
>>>>> By Martin Roesch
>>>>> (C) Copyright 2006-2007 Sourcefire Inc., All rights reserved
>>>>>
>>>>> Checking partition stats for log directory
>>>>>"/var/log/daemonlogger/p5p3/."
>>>>> sniffing on interface p5p3
>>>>> start_sniffing() device p5p3 network lookup:    p5p3: no IPv4 address
>>>>> assigned
>>>>> Logging packets to
>>>>> /var/log/daemonlogger/p5p3/daemonlogger-p5p3.1437764092
>>>>>
>>>>>
>>>>>
>>>>> ________________________________________
>>>>> From: Marty Roesch (maroesch) [maroesch at ...589...]
>>>>> Sent: Friday, July 24, 2015 1:52 PM
>>>>> To: Turnbough, Bradley E.; snort-users at lists.sourceforge.net
>>>>> Subject: Re: Daemonlogger -- Response to Marty Roesch
>>>>>
>>>>> What platform is this on?
>>>>>
>>>>> Can you grab the configuration output that it dumps to the screen
>>>>>when it
>>>>> runs and send that over too?
>>>>>
>>>>> Marty
>>>>>
>>>>> --
>>>>> Martin Roesch - maroesch at ...589...
>>>>> VP/Chief Architect, Security Business Group
>>>>>  ,,_
>>>>> o"  )~  Sourcefire ­ Now a part of Cisco   . : | : . : | : .
>>>>>  ''''
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On 7/24/15, 2:39 PM, "Turnbough, Bradley E." <bturnbough at ...15650...>
>>>>> wrote:
>>>>>
>>>>>> FYI -- I'm running Version 1.2.1, if that helps.
>>>>>>
>>>>>> ________________________________________
>>>>>> From: Turnbough, Bradley E. [bturnbough at ...15650...]
>>>>>> Sent: Friday, July 24, 2015 1:37 PM
>>>>>> To: snort-users at lists.sourceforge.net
>>>>>> Cc: maroesch at ...589...
>>>>>> Subject: [Snort-users] Daemonlogger -- Response to Marty Roesch
>>>>>>
>>>>>> Hi Marty,
>>>>>>
>>>>>> Sorry, but I accidentally deleted our thread.
>>>>>>
>>>>>>
>>>>>> I did as you requested, but daemonlogger is not rolling over to a
>>>>>>new
>>>>>> file after 1Gb.
>>>>>>
>>>>>> Here is the file:
>>>>>> -rw-r--r--  1 root root 2.1G Jul 24 14:34
>>>>>>daemonlogger-p5p3.1437762253
>>>>>>
>>>>>> Here is the command:
>>>>>> daemonlogger -d -i p5p3 -l /var/log/daemonlogger/p5p3 -n
>>>>>> daemonlogger-p5p3 -p daemonlogger-p5p3.pid -r -m 5
>>>>>>
>>>>>>
>>>>>> _____________________________________________________________ This
>>>>>> e-mail
>>>>>> transmission contains information that is confidential and may be
>>>>>> privileged. It is intended only for the addressee(s) named above. If
>>>>>>you
>>>>>> receive this e-mail in error, please do not read, copy or
>>>>>>disseminate it
>>>>>> in any manner. If you are not the intended recipient, any
>>>>>>disclosure,
>>>>>> copying, distribution or use of the contents of this information is
>>>>>> prohibited. Please reply to the message immediately by informing the
>>>>>> sender that the message was misdirected. After replying, please
>>>>>>erase it
>>>>>> from your computer system. Your assistance in correcting this error
>>>>>>is
>>>>>> appreciated.
>>>>>>
>>>>>>
>>>>>>---------------------------------------------------------------------
>>>>>>-
>>>>>>--
>>>>>> -
>>>>>> -
>>>>>> ----
>>>>>> _______________________________________________
>>>>>> Snort-users mailing list
>>>>>> Snort-users at lists.sourceforge.net
>>>>>> Go to this URL to change user options or unsubscribe:
>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>> Snort-users list archive:
>>>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>>>>
>>>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>>>> Snort news!
>>>>>> _____________________________________________________________ This
>>>>>> e-mail
>>>>>> transmission contains information that is confidential and may be
>>>>>> privileged. It is intended only for the addressee(s) named above. If
>>>>>>you
>>>>>> receive this e-mail in error, please do not read, copy or
>>>>>>disseminate it
>>>>>> in any manner. If you are not the intended recipient, any
>>>>>>disclosure,
>>>>>> copying, distribution or use of the contents of this information is
>>>>>> prohibited. Please reply to the message immediately by informing the
>>>>>> sender that the message was misdirected. After replying, please
>>>>>>erase it
>>>>>> from your computer system. Your assistance in correcting this error
>>>>>>is
>>>>>> appreciated.
>>>>>
>>>>> _____________________________________________________________ This
>>>>>e-mail
>>>>> transmission contains information that is confidential and may be
>>>>> privileged. It is intended only for the addressee(s) named above. If
>>>>>you
>>>>> receive this e-mail in error, please do not read, copy or disseminate
>>>>>it
>>>>> in any manner. If you are not the intended recipient, any disclosure,
>>>>> copying, distribution or use of the contents of this information is
>>>>> prohibited. Please reply to the message immediately by informing the
>>>>> sender that the message was misdirected. After replying, please erase
>>>>>it
>>>>> from your computer system. Your assistance in correcting this error
>>>>>is
>>>>> appreciated.
>>>>
>>>> _____________________________________________________________ This
>>>>e-mail
>>>> transmission contains information that is confidential and may be
>>>> privileged. It is intended only for the addressee(s) named above. If
>>>>you
>>>> receive this e-mail in error, please do not read, copy or disseminate
>>>>it
>>>> in any manner. If you are not the intended recipient, any disclosure,
>>>> copying, distribution or use of the contents of this information is
>>>> prohibited. Please reply to the message immediately by informing the
>>>> sender that the message was misdirected. After replying, please erase
>>>>it
>>>> from your computer system. Your assistance in correcting this error is
>>>> appreciated.
>>>
>>> _____________________________________________________________ This
>>>e-mail transmission contains information that is confidential and may be
>>>privileged. It is intended only for the addressee(s) named above. If you
>>>receive this e-mail in error, please do not read, copy or disseminate it
>>>in any manner. If you are not the intended recipient, any disclosure,
>>>copying, distribution or use of the contents of this information is
>>>prohibited. Please reply to the message immediately by informing the
>>>sender that the message was misdirected. After replying, please erase it
>>>from your computer system. Your assistance in correcting this error is
>>>appreciated.
>>_____________________________________________________________ This e-mail
>>transmission contains information that is confidential and may be
>>privileged. It is intended only for the addressee(s) named above. If you
>>receive this e-mail in error, please do not read, copy or disseminate it
>>in any manner. If you are not the intended recipient, any disclosure,
>>copying, distribution or use of the contents of this information is
>>prohibited. Please reply to the message immediately by informing the
>>sender that the message was misdirected. After replying, please erase it
>>from your computer system. Your assistance in correcting this error is
>>appreciated.
>
>_____________________________________________________________ This e-mail
>transmission contains information that is confidential and may be
>privileged. It is intended only for the addressee(s) named above. If you
>receive this e-mail in error, please do not read, copy or disseminate it
>in any manner. If you are not the intended recipient, any disclosure,
>copying, distribution or use of the contents of this information is
>prohibited. Please reply to the message immediately by informing the
>sender that the message was misdirected. After replying, please erase it
>from your computer system. Your assistance in correcting this error is
>appreciated.



More information about the Snort-users mailing list