Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Daemonlogger -- Response to Marty Roesch

From: "Marty Roesch (maroesch)" <maroesch () cisco com>
Date: Fri, 24 Jul 2015 19:03:17 +0000
Well there’s your problem right there.  Looks like there’s some sort of
signage/wraparound issue going on.  Is this on x86?

Try

daemonlogger -i p5p3 -l /var/log/daemonlogger/p5p3 -n daemonlogger-p5p3 -p
daemonlogger-p5p3.pid -r -m 5 -s 1g


And send me the runtime output from that run.


-- 
Martin Roesch - maroesch () cisco com
VP/Chief Architect, Security Business Group
   ,,_
  o"  )~  Sourcefire ­ Now a part of Cisco   . : | : . : | : .
   ''''






On 7/24/15, 2:55 PM, "Turnbough, Bradley E." <bturnbough () belcan com> wrote:


cat /etc/centos-release:
CentOS release 6.5 (Final)

Running this:
daemonlogger -i p5p3 -l /var/log/daemonlogger/p5p3 -n daemonlogger-p5p3
-p daemonlogger-p5p3.pid -r -m 5

Produced this:
[-] Interface set to p5p3
[-] Logpath set to /var/log/daemonlogger/p5p3
[-] Max files to write set to 5
[-] Log filename set to "daemonlogger-p5p3"
[-] Pidfile configured to "daemonlogger-p5p3.pid"
[-] Pidpath configured to "/var/run"
[-] Ringbuffer active
[-] Rollover size set to 18446744071562067968 bytes
[-] Rollover time configured for 0 seconds
[-] Pruning behavior set to oldest IN DIRECTORY

-*> DaemonLogger <*-
Version 1.2.1
By Martin Roesch
(C) Copyright 2006-2007 Sourcefire Inc., All rights reserved

Checking partition stats for log directory "/var/log/daemonlogger/p5p3/."
sniffing on interface p5p3
start_sniffing() device p5p3 network lookup:    p5p3: no IPv4 address
assigned
Logging packets to /var/log/daemonlogger/p5p3/daemonlogger-p5p3.1437764092



________________________________________
From: Marty Roesch (maroesch) [maroesch () cisco com]
Sent: Friday, July 24, 2015 1:52 PM
To: Turnbough, Bradley E.; snort-users () lists sourceforge net
Subject: Re: Daemonlogger -- Response to Marty Roesch

What platform is this on?

Can you grab the configuration output that it dumps to the screen when it
runs and send that over too?

Marty

--
Martin Roesch - maroesch () cisco com
VP/Chief Architect, Security Business Group
  ,,_
 o"  )~  Sourcefire ­ Now a part of Cisco   . : | : . : | : .
  ''''






On 7/24/15, 2:39 PM, "Turnbough, Bradley E." <bturnbough () belcan com>
wrote:


FYI -- I'm running Version 1.2.1, if that helps.

________________________________________
From: Turnbough, Bradley E. [bturnbough () belcan com]
Sent: Friday, July 24, 2015 1:37 PM
To: snort-users () lists sourceforge net
Cc: maroesch () cisco com
Subject: [Snort-users] Daemonlogger -- Response to Marty Roesch

Hi Marty,

Sorry, but I accidentally deleted our thread.


I did as you requested, but daemonlogger is not rolling over to a new
file after 1Gb.

Here is the file:
-rw-r--r--  1 root root 2.1G Jul 24 14:34 daemonlogger-p5p3.1437762253

Here is the command:
daemonlogger -d -i p5p3 -l /var/log/daemonlogger/p5p3 -n
daemonlogger-p5p3 -p daemonlogger-p5p3.pid -r -m 5


_____________________________________________________________ This e-mail
transmission contains information that is confidential and may be
privileged. It is intended only for the addressee(s) named above. If you
receive this e-mail in error, please do not read, copy or disseminate it
in any manner. If you are not the intended recipient, any disclosure,
copying, distribution or use of the contents of this information is
prohibited. Please reply to the message immediately by informing the
sender that the message was misdirected. After replying, please erase it
from your computer system. Your assistance in correcting this error is
appreciated.

-------------------------------------------------------------------------
-
----
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!
_____________________________________________________________ This e-mail
transmission contains information that is confidential and may be
privileged. It is intended only for the addressee(s) named above. If you
receive this e-mail in error, please do not read, copy or disseminate it
in any manner. If you are not the intended recipient, any disclosure,
copying, distribution or use of the contents of this information is
prohibited. Please reply to the message immediately by informing the
sender that the message was misdirected. After replying, please erase it
from your computer system. Your assistance in correcting this error is
appreciated.


_____________________________________________________________ This e-mail
transmission contains information that is confidential and may be
privileged. It is intended only for the addressee(s) named above. If you
receive this e-mail in error, please do not read, copy or disseminate it
in any manner. If you are not the intended recipient, any disclosure,
copying, distribution or use of the contents of this information is
prohibited. Please reply to the message immediately by informing the
sender that the message was misdirected. After replying, please erase it
from your computer system. Your assistance in correcting this error is
appreciated.


------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: