Snort mailing list archives
Re: Help needed with logs
From: Michael Boman <michael.boman () securecirt com>
Date: Tue, 03 Feb 2004 18:30:49 +0800
On Tue, 2004-02-03 at 05:51, Peggy Kam wrote:
Hi, I am running snort-2.0.4 on RH9. I would like to know how the alerts are logged to the log file? ie. during the ID process, are the alerts being temporary stored in a buffer and then output all the alerts at once in a file or are they being written to a file every single time an alert is triggered by the packet? The reason why I am asking is that I would like to know if I am able to move the logs to another log file when the default log file reaches its size limitation. Thanks in advance, Peggy
A normal rename (mv) on the same file system does not usually change anything else but the name itself (ie: the file is still at the same inode, which is (simplified) what programs actually use to associate the file with). In that case no, you can just rename it and then send a -HUP signal to snort (or restart it. Complete restart is required if you use any of the -u/-g/-t flags IIRC). I have never moved my logs to a different file system while they are running, so I haven't tested that one (and hence, don't have a definitive answer for that scenario). Best regards Michael Boman -- Michael Boman Security Architect, SecureCiRT Pte Ltd http://www.securecirt.com
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Help needed with logs Peggy Kam (Feb 02)
- Re: Help needed with logs Michael Boman (Feb 03)