Snort mailing list archives

Re: Help with tcpdump log rotation

From: John Sage <jsage () finchhaven com>
Date: Sat, 11 May 2002 07:17:26 -0700

On Fri, May 10, 2002 at 03:54:43PM -0500, Rob Hughes wrote:

On Fri, 2002-05-10 at 13:56, Erek Adams wrote:

On 9 May 2002, Rob Hughes wrote:


<snippage>

We'll see how it works now. I still don't see the value of stamping the
date/time in the file name though. It's much easier for me to just look
at the file creation time on a gzip file and say "oh, that's yesterday's
tcpdump file and that's the one I want to examine." File names like
"snort-0504 () 0512 log" aren't making my life any easier, because I don't
*care* when the file was created. I want to know when the logging in a
given file *ended*, which my way does for me.


um..

Given my method:

[toot@sparky /storage/snort/old_snorts/051002]# ls -la
total 444
drwxr-xr-x    2 jsage    jsage        4096 May 11 06:13 .
drwxr-xr-x  356 jsage    jsage        8192 May  2 07:15 ..
-rw----r-x    1 jsage    jsage        2848 May 10 12:52 alert184.full-0510 () 0714 log
-rw----r-x    1 jsage    jsage        2668 May 11 01:02 alert184.full-0510 () 1927 log
-rw----r-x    1 jsage    jsage        1712 May 10 12:52 p0f.log-0510 () 0714 log
-rw----r-x    1 jsage    jsage        1572 May 11 01:02 p0f.log-0510 () 1927 log
-rw----r-x    1 jsage    jsage      263441 May 10 15:15 snort-0510 () 0714 log
-rw----r-x    1 jsage    jsage      151214 May 11 03:25 snort-0510 () 1927 log


Packets in *-0510 () 0717 log include all those up to those received in
*-0510 () 1927 log

Actually, I've found this method to work rather well.

There's a faint awkwardness (I suppose..) when one is looking for a
packet that came in overnight, but even I've become able to figure out
which directory/file it's going to be in.


- John
-- 
Most people don't type their own logfiles;  but, what do I care?

PGP key      http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 

_______________________________________________________________

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: bandwidth () sourceforge net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Help with tcpdump log rotation Rob Hughes (May 03)
- Re: Help with tcpdump log rotation Eric Garnel (May 03)
- Re: Help with tcpdump log rotation Anton A. Chuvakin (May 09)
  - Re: Help with tcpdump log rotation Rob Hughes (May 09)
    - Re: Help with tcpdump log rotation Erek Adams (May 10)
    - Re: Help with tcpdump log rotation Rob Hughes (May 10)
    - Re: Help with tcpdump log rotation John Sage (May 11)