RE: archive snort logs?

[Devon Harding - GTHLA <DHarding () gilatla com>]

I found the best solution so far.  I created this file called 'snort' and
placed it in /etc/logrotate.d/

compress
/home/snort/alert /home/snort/portscan.log { 
   rotate 30 
   daily
   mail user () domain com 
   mailfirst 
   olddir /home/snort/oldlog
   sharedscripts
   postrotate
                /usr/local/bin/demarcd -k
                /usr/local/bin/demarcd
   endscript
}

What this did was compress the alert and portscan.log files in a .gz format
and placed it in the ../oldlog dir. for 30 days.  It would then mail the
first uncompressed files to the address specified and restart snort/demarc. 

Worked for me,

-Devon


-----Original Message-----
From: james [mailto:the_saint_james () yahoo com] 
Sent: Wednesday, April 03, 2002 12:09 PM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] archive snort logs?

If you have as much volume as I do it is nice to gzip by day. This script
also keeps a weeks worth of logs unzipped, so I can grep them quickly.

Hack as needed to make it do what you want:





#!/bin/sh

#

# Logfile roation script for snort writen by jameso () elwood net.

#

# Define where you have the base of your snort install

snortbase=/home/james/newsnort/snort-stable

# Define other vars

# logdir - Where the logs are kept

# oldlogs - Where you want the archived .tgz logs kept

# weeklogs - This is where you want to keep a weeks worth of log files
uncompressed

# dirdate - Todays Date in Month - Day - Year format

# olddirdate - Todays date in the same format as dirdate, minus a week

logdir=/usr/snort/snortlogs/

oldlogs=/home/james/oldsnort/

weeklogs=/home/james/oldsnort/weeklogs/

dirdate=`date "+%m%d%y"`

# Create directory for today's logs.

if [ ! -d $oldlogs/$dirdate ]

then

mkdir $oldlogs/$dirdate

fi

# Move the log files into todays log dir. This is done with

# a for loop right now, because I am afriad that if alot is

# logged there may be to many items to move with a "mv *"

# type command. There may a better way to do this, but I don't

# know it yet.

for logitem in `ls $logdir` ; do

mv -f $logdir/$logitem $oldlogs/$dirdate

done

# Kill and restart snort now that the log files are moved.

/home/james/bin/killsnort.sh

service syslog restart

#kill `cat /var/run/snort_eth0.pid`

# Restart snort in the correct way for you

/home/james/bin/startsnort.sh

#/usr/local/bin/snort -i eth0 -d -D -h 64.169.57.220/24 -l /apps/snort/log \

# -c /apps/snort/etc/snort.conf > /dev/null 2>&1



# Compress and save the log files to save for as long as you want.

# This is done in a sub-shell because we change dirs, and I don't want

# to do that within the shell that the script runs in.

#(cd $weeklogs; tar zcvf $oldlogs/$dirdate.tgz $dirdate > /dev/null 2>&1)

# Mail out the log files for today.

#cat $weeklogs/$dirdate/snort.alert | mail -s "Snort logs" you () domain com

#cat $weeklogs/$dirdate/snort_portscan.log | mail -s "Snort portscan logs"
you () domain com









_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users