Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Log Rotation

From: JP Vossen <vossenjp () netaxs com>
Date: Fri, 5 Dec 2003 14:26:32 -0500 (EST)
On Fri, 5 Dec 2003, Keaton, Lindamaria wrote:


I get the following error message. Any ideas? By the way I am running
this on Linux.

# /etc/init.d/snort restart
/etc/init.d/snort: line 1: /var/log/snort//2003-12-05: No such file or
directory
/etc/init.d/snort: line 1: /var/log/snort//2003-12-05: No such file or
directory
Stoping Intrusion Database System: SNORT
.
/etc/init.d/snort: line 1: /var/log/snort//2003-12-05: No such file or
directory
Starting Intrusion Database System: SNORT
SNORT is up and running!


The symptom is that Snort can't find the log directory. Sorry about that.  I
assumed you would remove the non-relevant parts from the code before using it.
I run more than one instance of Snort, so there is an extra variable called
${SNORTNAME} in there.  That is causing the '//' in 'snort//2003' above.  I
suspect that is the root cause of the problem.

Here is a better /etc/init.d/snortd fragment (NOT TESTED) with more comments:

        # Log everything in a dated directory
        # Get the date (have to run this after midnight)
        TheDate=`/bin/date '+%Y-%m-%d'`
        # Create the new dated directory if it does not exist
        if [ ! -d /var/log/snort/${TheDate} ]; then
                /bin/mkdir -p /var/log/snort/${TheDate}
        fi

        # Actually start snort, with our options
        daemon /usr/sbin/snort -D -i $INTERFACE \
                -c /etc/snort.conf \
                -l /var/log/snort/${TheDate} -b ${BPFFILE}

Later,
JP
------------------------------|:::======|--------------------------------
JP Vossen, CISSP              |:::======|         jp{at}jpsdomain{dot}org
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
------------------------------|=========|--------------------------------
You used to have to reboot the Windows 9.x series every couple of days
because it would crash.  Now you have to reboot Windows 200x or XP every
couple of days because of a patch.  How is that better or more stable?



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: