Re: Rotating '-b' logs without stopping snort? (0% data loss...)

[Pawel Krawczyk <kravietz () ceti pl>]

On Tue, Jul 24, 2001 at 05:01:47AM -0400, Dave Cinege wrote:

> How can I resolve this? If I need to do some recoding of snort I can, though
> KISS is best. (I was thinking maybe sending a signal to the
> process to pause file writing and buffer util getting another signal
> to resume writing)

Actually best method to do it I've seen is in Squid. You can signal
it (or, if you're nice, issue `squid -k rotate' command) and it will
move the old logs to `access_log.0' and start writing to `access_log'.
Then you can do anything with the rotated file as Squid doesn't touch
it. And the change is very quick, since Squid only closes the old file,
does a rename operation which is atomic, and the opens the new file.
It would be nice to see such feature in Snort...

Right now I'm doing it similiar way (I'm storing all alerts and packet
dumps in /var/log/snort):

1. a script shutdowns Snort
2. rename /var/log/snort to /var/log/snort-DATE (atomic)
3. mkdir /var/log/snort
4. start Snort

Then, with Snort running again on fresh data, I do all the processing.

-- 
Pawe� Krawczyk *** home: <http://ceti.pl/~kravietz/>
security: <http://ipsec.pl/>  *** fidonet: 2:486/23

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users