Snort mailing list archives

Re: archive snort logs?

From: "james" <the_saint_james () yahoo com>
Date: Wed, 3 Apr 2002 10:09:29 -0700

If you have as much volume as I do it is nice to gzip by day. This script
also keeps a weeks worth of logs unzipped, so I can grep them quickly.

Hack as needed to make it do what you want:





#!/bin/sh

#

# Logfile roation script for snort writen by jameso () elwood net.

#

# Define where you have the base of your snort install

snortbase=/home/james/newsnort/snort-stable

# Define other vars

# logdir - Where the logs are kept

# oldlogs - Where you want the archived .tgz logs kept

# weeklogs - This is where you want to keep a weeks worth of log files
uncompressed

# dirdate - Todays Date in Month - Day - Year format

# olddirdate - Todays date in the same format as dirdate, minus a week

logdir=/usr/snort/snortlogs/

oldlogs=/home/james/oldsnort/

weeklogs=/home/james/oldsnort/weeklogs/

dirdate=`date "+%m%d%y"`

# Create directory for today's logs.

if [ ! -d $oldlogs/$dirdate ]

then

mkdir $oldlogs/$dirdate

fi

# Move the log files into todays log dir. This is done with

# a for loop right now, because I am afriad that if alot is

# logged there may be to many items to move with a "mv *"

# type command. There may a better way to do this, but I don't

# know it yet.

for logitem in `ls $logdir` ; do

mv -f $logdir/$logitem $oldlogs/$dirdate

done

# Kill and restart snort now that the log files are moved.

/home/james/bin/killsnort.sh

service syslog restart

#kill `cat /var/run/snort_eth0.pid`

# Restart snort in the correct way for you

/home/james/bin/startsnort.sh

#/usr/local/bin/snort -i eth0 -d -D -h 64.169.57.220/24 -l /apps/snort/log \

# -c /apps/snort/etc/snort.conf > /dev/null 2>&1



# Compress and save the log files to save for as long as you want.

# This is done in a sub-shell because we change dirs, and I don't want

# to do that within the shell that the script runs in.

#(cd $weeklogs; tar zcvf $oldlogs/$dirdate.tgz $dirdate > /dev/null 2>&1)

# Mail out the log files for today.

#cat $weeklogs/$dirdate/snort.alert | mail -s "Snort logs" you () domain com

#cat $weeklogs/$dirdate/snort_portscan.log | mail -s "Snort portscan logs"
you () domain com









_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

archive snort logs? Devon Harding - GTHLA (Apr 03)
- Re: archive snort logs? Ralf Hildebrandt (Apr 03)
  - Re: archive snort logs? james (Apr 04)
- Re: archive snort logs? Skip Carter (Apr 04)
- <Possible follow-ups>
- RE: archive snort logs? Devon Harding - GTHLA (Apr 04)