Re: Help needed with logs

[Michael Boman <michael.boman () securecirt com>]

On Tue, 2004-02-03 at 05:51, Peggy Kam wrote:
> Hi,
>
> I am running snort-2.0.4 on RH9.  I would like to know how the alerts 
> are logged to the log file?  ie. during the ID process, are the alerts 
> being temporary stored in a buffer and then output all the alerts at 
> once in a file or are they being written to a file every single time an 
> alert is triggered by the packet?  The reason why I am asking is that I 
> would like to know if I am able to move the logs to another log file 
> when the default log file reaches its size limitation.
>
> Thanks in advance,
> Peggy

A normal rename (mv) on the same file system does not usually change
anything else but the name itself (ie: the file is still at the same
inode, which is (simplified) what programs actually use to associate the
file with). In that case no, you can just rename it and then send a -HUP
signal to snort (or restart it. Complete restart is required if you use
any of the -u/-g/-t flags IIRC).

I have never moved my logs to a different file system while they are
running, so I haven't tested that one (and hence, don't have a
definitive answer for that scenario).

Best regards
 Michael Boman

-- 
Michael Boman
Security Architect, SecureCiRT Pte Ltd
http://www.securecirt.com

Attachment: signature.asc
Description: This is a digitally signed message part