Snort mailing list archives
Re: Snort Logs
From: "Michael Sconzo" <msconzo () tamu edu>
Date: Wed, 17 Sep 2003 15:24:32 -0500
I am doing something like this with my setup. I am currently using logrotate to rotate the logs /home/snort/alert { postrotate /usr/bin/killall -HUP snort endscript } /home/snort/portscan.log { compress postrotate /usr/bin/killall -HUP snort endscript } I found that it restarts with the -HUP creating a new alert file, but it would die due to not being able to set the device in promisc mode. So i setuid /usr/local/bin/snort I have been trying to think of a work around for this, but so far nothing worth anything. So if anybody has any suggestions on this, that would also be nice Thanks, -Mike ----- Original Message ----- From: "Keaton, Lindamaria" <LKeaton () unionsafe com> To: "Demetri Mouratis" <dmourati () cm math uiuc edu> Cc: <snort-users () lists sourceforge net> Sent: Wednesday, September 17, 2003 1:37 PM Subject: RE: [Snort-users] Snort Logs
How will a new file generate? How I see this, it will kill snort but not restart it. Will I then have to reboot the system, in order for a new alert file to generate. Is that correct, or am I completely wrong? This is what I'm trying to accomplish. I want the alert file to either compress and move to a different directory, but then start a new alert file without kill snort. Is there a way to do this? -----Original Message----- From: Demetri Mouratis [mailto:dmourati () cm math uiuc edu] Sent: Wednesday, September 17, 2003 11:32 AM To: Keaton, Lindamaria Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort Logs On Wed, 17 Sep 2003, Keaton, Lindamaria wrote:Hello, I'm running snort 2.0 on Linux 9.0. Does anyone know how to rotate /var/log/snort/alert when it reaches certain size?You could use logrotate with the size option for this. "/var/log/snort/alert" { rotate 30 size=100k postrotate kill -HUP `pidof /usr/local/bin/snort` endscript } And upgrade to snort 2.0.1 while you are at it. --------------------------------------------------------------------- Demetri Mouratis dmourati () linfactory com ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Logs Keaton, Lindamaria (Sep 17)
- Re: Snort Logs Demetri Mouratis (Sep 17)
- <Possible follow-ups>
- RE: Snort Logs Keaton, Lindamaria (Sep 17)
- Re: Snort Logs Michael Sconzo (Sep 17)
- RE: Snort Logs Demetri Mouratis (Sep 17)
- RE: Snort Logs Grejda, Eric (Sep 18)
- Re: Snort Logs Marc Quibell (Sep 18)
- RE: Snort Logs Esler, Joel Contractor (Sep 18)
- Re: Snort Logs John Creegan (Sep 18)