Re: archive snort logs?

[Skip Carter <skip () taygeta com>]

> My snort log files are getting too big.  How can I automatically archive and
> remove snort log files?
>
> __________________
> Devon Harding

  I have cron run the following script daily.  (this one is for OpenBSD,
  you will have to adjust this slightly for other *nix OSes).  It just throws
  the oldest (two week old) file away; it would be trivial to move the file to
  tape or elsewhere if thats what you want to do with it.


#!/bin/sh
# $Header: 10.syslogd.system,v 1.2.2.2 90/01/22 10:23:23 wje Exp $
#
# Roll over the snort log files
#
PATH=/bin:/usr/bin

main()
{
        echo -e "\nRotating snort log files:"
        logfiles="/var/log/snort/alert /var/log/snort/portscan.log 
/var/log/snort/ARP"
        for file in ${logfiles}
        {
                echo $file
                roll14 $file
        }
        echo sending SIGHUP to snort
        kill -1 `cat /var/run/snort_fxp1.pid`
}

roll()
{
        if [ -f "$1" ]
        then
                mv "$1" "$2"
        fi
}

roll14()
{
    roll "$1".13 "$1".14
    roll "$1".12 "$1".13
    roll "$1".11 "$1".12
    roll "$1".10 "$1".11
    roll "$1".09 "$1".10
    roll "$1".08 "$1".09
    roll "$1".07 "$1".08
    roll "$1".06 "$1".07
    roll "$1".05 "$1".06
    roll "$1".04 "$1".05
    roll "$1".03 "$1".04
    roll "$1".02 "$1".03
    roll "$1".01 "$1".02
    roll "$1"    "$1".01
    cp /dev/null $1
    chmod 644 $1
}

main ${1+"$@"}
exit 0


-- 
 Dr. Everett (Skip) Carter      Phone: 831-641-0645 FAX:  831-641-0647
 Taygeta Scientific Inc.        INTERNET: skip () taygeta com
 1340 Munras Ave., Suite 314    WWW: http://www.taygeta.com
 Monterey, CA. 93940            












_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users