Snort mailing list archives
Re: >2Gb capture files
From: Chris Green <cmg () uab edu>
Date: 25 Jun 2001 10:52:22 -0500
"Mayers, Philip J" <p.mayers () ic ac uk> writes:
We have a rather high-traffic site, and I just had an embarrasing experience - the snort machine runs RedHat 7.0, and I was running it under screen, so that if it dumped core, I'd see the error messages (It hasn't - nice and stable). However, once the log file reached 2Gb, snort (or glibc) stopped writing... Losing us 18 days of binary packet captures (doh!) Anyway, I have two questions: 1) Does anyone have a good snort logrotate script? 2) If I upgrade the system to RedHat 7.1, will snort/libpcap suddenly be "ok" with such large files?
Here's a Linux rortate one that stores the logs in dated hourly directories
Attachment:
snort_rotate.sh
Description:
I have a hourly snortsnarf and a daily snortsnarf as well as a pcapmerge run daily to concat all the binary log files. -A fast -b is the logging method. -- Chris Green <cmg () uab edu> You now have 14 minutes to reach minimum safe distance.
Current thread:
- >2Gb capture files Mayers, Philip J (Jun 25)
- Re: >2Gb capture files Kiira Triea (Jun 25)
- Re: >2Gb capture files Chris Green (Jun 25)
- <Possible follow-ups>
- Re: >2Gb capture files Matthew Collins (Jun 25)
- RE: >2Gb capture files Mayers, Philip J (Jun 26)
- Re: >2Gb capture files Ralf Hildebrandt (Jun 26)