Snort mailing list archives

Previous By Date Next
Previous By Thread Next

2GB limit on alert log

From: "Aaron" <snort () microchp org>
Date: Wed, 21 Jul 2004 12:02:36 -0700
Has anyone found a good procedure for getting past the 2GB limit on snorts alert log?
Before anyone suggests this, the problem is not a filesystem imposed limit. On the same fs, I have other apps dumping 20-50GB files daily.
At 2GB, snort exits. If started in fg, it complains file is too big.
I tried recompiling libpcap with -D_FILE_OFFSET_BITS=64 and -D_LARGEFILE_SOURCE but that did not seem to help.
I searched for articles pertaining to this but everyone I have seen answer seems to think in the direction of fs limitations.
My logs easily grow to this size within a week and minimal logging enabled so I have to find a way around this and putting in more sensors is not an option. I have several heavily populated /17's behind this sensor and that is not going to change. I would prefer not to sighup and rename every week. Keeping the data in one contiguous file is much prefered.
MySQL is not an option either. I kicked that beeotch to the curb some time ago. Flat files, shell scripts and snortalog are the only sensible way to go for me. : - ) 



-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: