Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Daemonlogger -- Response to Marty Roesch

From: "Turnbough, Bradley E." <bturnbough () belcan com>
Date: Mon, 27 Jul 2015 14:53:24 +0000

-Z :
daemonlogger: invalid option -- 'Z'

-z :
[-] Pruning behavior set to oldest THIS RUN

Undocumented flags are always fun :)

Closer, but still no solution.

If *no* -z flag is set, I see this:

[-] Pruning behavior set to oldest IN DIRECTORY


But, its not working as advertised.



________________________________________
From: Marty Roesch (maroesch) [maroesch () cisco com]
Sent: Friday, July 24, 2015 4:19 PM
To: Turnbough, Bradley E.
Cc: snort-users () lists sourceforge net
Subject: Re: Daemonlogger -- Response to Marty Roesch

Try the -z option and see if that helps out...


Please Sent from my iPhone


On Jul 24, 2015, at 4:46 PM, Turnbough, Bradley E. <bturnbough () belcan com> wrote:

I think I've recreated the issue.

running:
daemonlogger -i p5p3 -l /var/log/daemonlogger/p5p3 -n daemonlogger-p5p3 -p daemonlogger-p5p3.pid -r -m 5 -s 1g

I let it run for a while.  The process was working just fine.  (5 files, rotated every 1 gig)

I then stopped the process by issuing a ctrl-c, and then restarted it again.

Now I have more than 5 files:

-rw-r--r--  1 root root 1.1G Jul 24 15:51 daemonlogger-p5p3.1437766803
-rw-r--r--  1 root root 1.1G Jul 24 16:00 daemonlogger-p5p3.1437767505
-rw-r--r--  1 root root 1.1G Jul 24 16:09 daemonlogger-p5p3.1437768022
-rw-r--r--  1 root root 1.1G Jul 24 16:21 daemonlogger-p5p3.1437768591
-rw-r--r--  1 root root 184M Jul 24 16:23 daemonlogger-p5p3.1437769280
-rw-r--r--  1 root root 1.1G Jul 24 16:32 daemonlogger-p5p3.1437769403
-rw-r--r--  1 root root 420M Jul 24 16:37 daemonlogger-p5p3.1437769947

I have some scripts that stop the snort / barnyard / daemonlogger processes every night.  They're all restarted again 
once backups are finished and whatnot.

I believe this is why I have so many extra files hanging around.  I don't believe the program should work this way, 
but I can't say for cartain, as you wrote it  :)  I would think that the program would load the filenames into in 
array and drop the first one off of the list, regardless of whether it actually wrote out the file during its 
invocation.

Thoughts?


________________________________________
From: Marty Roesch (maroesch) [maroesch () cisco com]
Sent: Friday, July 24, 2015 2:27 PM
To: Turnbough, Bradley E.; snort-users () lists sourceforge net
Subject: Re: Daemonlogger -- Response to Marty Roesch

In theory it shouldn’t make a difference, let it run and see if there’s a
difference in fact.  It used to work when 1.2.1 was released but I haven’t
done tech support thing for my own OSS in a while so maybe something is
broken on newer systems and I need to dig into it a little deeper and see
what’s going on.

Let me know if it prunes properly now that the size limiter is working.

--
Martin Roesch - maroesch () cisco com
VP/Chief Architect, Security Business Group
  ,,_
 o"  )~  Sourcefire ­ Now a part of Cisco   . : | : . : | : .
  ''''







On 7/24/15, 3:19 PM, "Turnbough, Bradley E." <bturnbough () belcan com> wrote:

That's what I was thinking as well.  Yes, x86_64

uname -a:
Linux awidssen01 2.6.32-431.23.3.el6.x86_64 #1 SMP Thu Jul 31 17:20:51
UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

Running this:
daemonlogger -i p5p3 -l /var/log/daemonlogger/p5p3 -n daemonlogger-p5p3
-p daemonlogger-p5p3.pid -r -m 5 -s 1g


Produced this:
[-] Interface set to p5p3
[-] Logpath set to /var/log/daemonlogger/p5p3
[-] Max files to write set to 5
[-] Log filename set to "daemonlogger-p5p3"
[-] Pidfile configured to "daemonlogger-p5p3.pid"
[-] Pidpath configured to "/var/run"
[-] Ringbuffer active
[-] Rollover configured for 1 gigabytes
[-] Rollover configured for 0 none
[-] Pruning behavior set to oldest IN DIRECTORY

-*> DaemonLogger <*-
Version 1.2.1
By Martin Roesch
(C) Copyright 2006-2007 Sourcefire Inc., All rights reserved

Checking partition stats for log directory "/var/log/daemonlogger/p5p3/."
sniffing on interface p5p3
start_sniffing() device p5p3 network lookup:    p5p3: no IPv4 address
assigned


It appears to be working (as I'm seeing files broken at 1gig marks), but
the problem I was having before was that the files weren't being purged
as they should.  The initial message I sent out stated I had 156+ (1gig)
files.

Would the flags "-s 1g" / "-s 1000000000" make a difference functionality
wise?
________________________________________
From: Marty Roesch (maroesch) [maroesch () cisco com]
Sent: Friday, July 24, 2015 2:03 PM
To: Turnbough, Bradley E.; snort-users () lists sourceforge net
Subject: Re: Daemonlogger -- Response to Marty Roesch

Well there’s your problem right there.  Looks like there’s some sort of
signage/wraparound issue going on.  Is this on x86?

Try

daemonlogger -i p5p3 -l /var/log/daemonlogger/p5p3 -n daemonlogger-p5p3 -p
daemonlogger-p5p3.pid -r -m 5 -s 1g


And send me the runtime output from that run.


--
Martin Roesch - maroesch () cisco com
VP/Chief Architect, Security Business Group
 ,,_
o"  )~  Sourcefire ­ Now a part of Cisco   . : | : . : | : .
 ''''






On 7/24/15, 2:55 PM, "Turnbough, Bradley E." <bturnbough () belcan com>
wrote:


cat /etc/centos-release:
CentOS release 6.5 (Final)

Running this:
daemonlogger -i p5p3 -l /var/log/daemonlogger/p5p3 -n daemonlogger-p5p3
-p daemonlogger-p5p3.pid -r -m 5

Produced this:
[-] Interface set to p5p3
[-] Logpath set to /var/log/daemonlogger/p5p3
[-] Max files to write set to 5
[-] Log filename set to "daemonlogger-p5p3"
[-] Pidfile configured to "daemonlogger-p5p3.pid"
[-] Pidpath configured to "/var/run"
[-] Ringbuffer active
[-] Rollover size set to 18446744071562067968 bytes
[-] Rollover time configured for 0 seconds
[-] Pruning behavior set to oldest IN DIRECTORY

-*> DaemonLogger <*-
Version 1.2.1
By Martin Roesch
(C) Copyright 2006-2007 Sourcefire Inc., All rights reserved

Checking partition stats for log directory "/var/log/daemonlogger/p5p3/."
sniffing on interface p5p3
start_sniffing() device p5p3 network lookup:    p5p3: no IPv4 address
assigned
Logging packets to
/var/log/daemonlogger/p5p3/daemonlogger-p5p3.1437764092



________________________________________
From: Marty Roesch (maroesch) [maroesch () cisco com]
Sent: Friday, July 24, 2015 1:52 PM
To: Turnbough, Bradley E.; snort-users () lists sourceforge net
Subject: Re: Daemonlogger -- Response to Marty Roesch

What platform is this on?

Can you grab the configuration output that it dumps to the screen when it
runs and send that over too?

Marty

--
Martin Roesch - maroesch () cisco com
VP/Chief Architect, Security Business Group
 ,,_
o"  )~  Sourcefire ­ Now a part of Cisco   . : | : . : | : .
 ''''






On 7/24/15, 2:39 PM, "Turnbough, Bradley E." <bturnbough () belcan com>
wrote:


FYI -- I'm running Version 1.2.1, if that helps.

________________________________________
From: Turnbough, Bradley E. [bturnbough () belcan com]
Sent: Friday, July 24, 2015 1:37 PM
To: snort-users () lists sourceforge net
Cc: maroesch () cisco com
Subject: [Snort-users] Daemonlogger -- Response to Marty Roesch

Hi Marty,

Sorry, but I accidentally deleted our thread.


I did as you requested, but daemonlogger is not rolling over to a new
file after 1Gb.

Here is the file:
-rw-r--r--  1 root root 2.1G Jul 24 14:34 daemonlogger-p5p3.1437762253

Here is the command:
daemonlogger -d -i p5p3 -l /var/log/daemonlogger/p5p3 -n
daemonlogger-p5p3 -p daemonlogger-p5p3.pid -r -m 5


_____________________________________________________________ This
e-mail
transmission contains information that is confidential and may be
privileged. It is intended only for the addressee(s) named above. If you
receive this e-mail in error, please do not read, copy or disseminate it
in any manner. If you are not the intended recipient, any disclosure,
copying, distribution or use of the contents of this information is
prohibited. Please reply to the message immediately by informing the
sender that the message was misdirected. After replying, please erase it
from your computer system. Your assistance in correcting this error is
appreciated.

------------------------------------------------------------------------
-
-
----
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!
_____________________________________________________________ This
e-mail
transmission contains information that is confidential and may be
privileged. It is intended only for the addressee(s) named above. If you
receive this e-mail in error, please do not read, copy or disseminate it
in any manner. If you are not the intended recipient, any disclosure,
copying, distribution or use of the contents of this information is
prohibited. Please reply to the message immediately by informing the
sender that the message was misdirected. After replying, please erase it
from your computer system. Your assistance in correcting this error is
appreciated.


_____________________________________________________________ This e-mail
transmission contains information that is confidential and may be
privileged. It is intended only for the addressee(s) named above. If you
receive this e-mail in error, please do not read, copy or disseminate it
in any manner. If you are not the intended recipient, any disclosure,
copying, distribution or use of the contents of this information is
prohibited. Please reply to the message immediately by informing the
sender that the message was misdirected. After replying, please erase it
from your computer system. Your assistance in correcting this error is
appreciated.


_____________________________________________________________ This e-mail
transmission contains information that is confidential and may be
privileged. It is intended only for the addressee(s) named above. If you
receive this e-mail in error, please do not read, copy or disseminate it
in any manner. If you are not the intended recipient, any disclosure,
copying, distribution or use of the contents of this information is
prohibited. Please reply to the message immediately by informing the
sender that the message was misdirected. After replying, please erase it
from your computer system. Your assistance in correcting this error is
appreciated.


_____________________________________________________________ This e-mail transmission contains information that is 
confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail 
in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any 
disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the 
message immediately by informing the sender that the message was misdirected. After replying, please erase it from 
your computer system. Your assistance in correcting this error is appreciated.

_____________________________________________________________ This e-mail transmission contains information that is 
confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in 
error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, 
copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately 
by informing the sender that the message was misdirected. After replying, please erase it from your computer system. 
Your assistance in correcting this error is appreciated.

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: