[Snort-users] starting multiple instances of snort

James snort at ...16635...
Mon Dec 7 03:19:40 EST 2015


Hi,

Both great ideas which I had to check. Unfortunately neither seem to be the
cause; no log dir defined in the conf and the perfmon preproc is commented
out. Any other suggestions?

Thanks
J.

On 4 December 2015 at 16:22, Y M <snort at ...15979...> wrote:

> If I would throw a guess at it I would look in
> snort.conf file if it has the logdir statically defined in "config
> logdir:" This may cause a conflict.
>
> Also I would check if snort.conf has perfmon configured. By default snort
> will dump stats to /var/snort as opposed to the default log directory
> /var/log/snort.
>
> YM
>
> Sent from Mobile
>
>
>
>
> On Fri, Dec 4, 2015 at 7:55 AM -0800, "James" <snort at ...16635...>
> wrote:
>
> Hi,
>
> I'm attempting to start 16 instances of snort using a for loop, but see
> this error repeating in /var/log/messages and hope someone can help as I'm
> drawing a blank at the moment.
>
> snort[8537]: FATAL ERROR: Stat check on log dir failed: No such file or
> directory.
>
> This is the loop:
>
> for i in `seq 0 1 15`; do
> snort -q -u snort -g snort --pid-path /var/run --create-pidfile -D -c
> /etc/snort/snort.conf -l /logs/snort/eth4_eth5/instance-$i
> --daq-dir=/usr/local/lib/daq --daq pfring_zc --daq-mode passive -i zc:eth4@
> $i,zc:eth5@$i --daq-var clusterid=$i --daq-var bindcpu=$i
> done
>
> The referenced log dirs exist and are owned by the snort user, as shown:
>
> []$ sudo -u snort ls -al /logs/snort/eth4_eth5/
> total 72
> drwx------ 18 snort snort 4096 Dec  4 10:44 .
> drwx------  3 snort snort 4096 Dec  4 10:43 ..
> drwx------  2 snort snort 4096 Dec  4 10:50 instance-0
> drwx------  2 snort snort 4096 Dec  4 10:50 instance-1
> drwx------  2 snort snort 4096 Dec  4 10:44 instance-10
> drwx------  2 snort snort 4096 Dec  4 10:44 instance-11
> drwx------  2 snort snort 4096 Dec  4 10:53 instance-12
> drwx------  2 snort snort 4096 Dec  4 10:54 instance-13
> drwx------  2 snort snort 4096 Dec  4 10:54 instance-14
> drwx------  2 snort snort 4096 Dec  4 10:54 instance-15
> drwx------  2 snort snort 4096 Dec  4 10:51 instance-2
> drwx------  2 snort snort 4096 Dec  4 10:51 instance-3
> drwx------  2 snort snort 4096 Dec  4 10:51 instance-4
> drwx------  2 snort snort 4096 Dec  4 10:52 instance-5
> drwx------  2 snort snort 4096 Dec  4 10:52 instance-6
> drwx------  2 snort snort 4096 Dec  4 10:52 instance-7
> drwx------  2 snort snort 4096 Dec  4 10:44 instance-8
> drwx------  2 snort snort 4096 Dec  4 10:44 instance-9
>
> Any help is much appreciated.
>
> J.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20151207/06462dab/attachment.html>


More information about the Snort-users mailing list