Frequent binary log rotation data lose

[Dave Cinege <dcinege () psychosis com>]

Working on a distributed system blah blah archived post here:
http://archives.neohapsis.com/archives/snort/2001-07/0623.html

The goal is have snort write to a pipe and have an intermediate
program read the pipe and rotate out logs so snort is never stopped
and data is never lost.

However as I work up to doing this I'm just stopping snort, rotating
the logs, and starting snort at 1 minute intervals

The problem: When the server gets the log file and processes it,
no data is dumped when rules are applied. If I snort -dvr (no rules) I can
see the output. If we let snort run a signifigant amount of time,
we will see data properly dumped.

I've come to the concusion that snort is getting stopped before fully
commiting all data to disk, or more specificity in the *middle* of an
attack. Thus when the log gets processed back at the server we never see
output because we rarely ever get complete output.

**Corrections please** if this does not sound right to you...
I have yet to take the time to actually read the snort logging source
to see exactly how it's being buffered, etc.

I need to know how to remedy this problem. My first guess is that 
this tobemade pipe reading program could buffer and commit to disk only
on 'attack boundaries'. However I have no idea how to determine this.
Also I would think snort would ALREADY work this way. (So am I doing
something else wrong?)

Dave

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users