Re: Rotating '-b' logs without stopping snort? (0% data loss...)

[Chris Keladis <Chris.Keladis () cmc cwo net au>]

Johannes Grosen wrote:

> On Tue, Jul 24, 2001 at 05:01:47AM -0400, Dave Cinege wrote:

> > I have tried to 'slide' the snort.log file, by `sync,cp,:>` (truncate)
> > praying buffering would always work to my advantage. However
> > it's leaving me with corrupted log files.
> >
> > How can I resolve this? If I need to do some recoding of snort I can, though
> > KISS is best. (I was thinking maybe sending a signal to the
> > process to pause file writing and buffer util getting another signal
> > to resume writing)
> >
> > Any suggestions appreciated.
>
> Why not take the following approach: write a script that grabs the
> current snort process ID and removes the pid file. Then start a second
> snort process. I would consider using the new -L command line option
> to name the log files.  Once the second snort is running you can kill
> the first snort by sending a signal to the saved PID. Yes, there will
> be some overlap in packet capturing between the two but if you
> absolutely can't miss any packets then this seems to be the approach
> to take.

I've not checked, but wouldn't snort have signal handlers to trap things like
SIGUSR1 (for example), to rotate the logfiles without disrupting things?

If not, then it might be something to put on the TODO list.




Regards,

Chris.


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users