Snort mailing list archives
Re: Daemonlogger -- Response to Marty Roesch
From: "Marty Roesch (maroesch)" <maroesch () cisco com>
Date: Tue, 4 Aug 2015 16:06:07 +0000
Thanks, I’ve been meaning to get a new release going for a while. Maybe this will get me off my butt and working on it again. :) Marty -- Martin Roesch VP/Chief Architect, Security Business Group ,,_ o" )~ Intelligent Cybersecurity for the Real World . : | : . : | : . '''' On 7/28/15, 8:54 AM, "Turnbough, Bradley E." <bturnbough () belcan com> wrote:
Ok. I'll get a line of script included into the init script. Thanks for all of your help! I appreciate it. Daemonlogger is a handy little tool to have in our environment. To my knowledge, I don't see anything else that needs attention. Maybe an update of the param listing from the '--help' screen, but that's about it. Again, thank you. Brad ________________________________________ From: Marty Roesch (maroesch) [maroesch () cisco com] Sent: Monday, July 27, 2015 5:36 PM To: Turnbough, Bradley E. Subject: Re: Daemonlogger -- Response to Marty Roesch Ok… So, clearing logs from past runs is typically something for your startup script to handle. I remember this came up in the past and that’s kind of where we left things. Clearing out the logging directory before starting seems like a lot of code to replicate functions that shell scripts can do, you know? :) Sorry about the undocumented features, it is documented in the README file. I’ve been finding a few things that probably could stand updating as I’ve been looking around in the code for DaemonLogger so maybe there will be a new version sooner rather than later. Assuming scripting gets the job done, are there other problems you’re running into? Marty -- Martin Roesch - maroesch () cisco com VP/Chief Architect, Security Business Group ,,_ o" )~ Sourcefire Now a part of Cisco . : | : . : | : . '''' On 7/27/15, 10:53 AM, "Turnbough, Bradley E." <bturnbough () belcan com> wrote:-Z : daemonlogger: invalid option -- 'Z' -z : [-] Pruning behavior set to oldest THIS RUN Undocumented flags are always fun :) Closer, but still no solution. If *no* -z flag is set, I see this: [-] Pruning behavior set to oldest IN DIRECTORY But, its not working as advertised. ________________________________________ From: Marty Roesch (maroesch) [maroesch () cisco com] Sent: Friday, July 24, 2015 4:19 PM To: Turnbough, Bradley E. Cc: snort-users () lists sourceforge net Subject: Re: Daemonlogger -- Response to Marty Roesch Try the -z option and see if that helps out... Please Sent from my iPhoneOn Jul 24, 2015, at 4:46 PM, Turnbough, Bradley E. <bturnbough () belcan com> wrote: I think I've recreated the issue. running: daemonlogger -i p5p3 -l /var/log/daemonlogger/p5p3 -n daemonlogger-p5p3 -p daemonlogger-p5p3.pid -r -m 5 -s 1g I let it run for a while. The process was working just fine. (5 files, rotated every 1 gig) I then stopped the process by issuing a ctrl-c, and then restarted it again. Now I have more than 5 files: -rw-r--r-- 1 root root 1.1G Jul 24 15:51 daemonlogger-p5p3.1437766803 -rw-r--r-- 1 root root 1.1G Jul 24 16:00 daemonlogger-p5p3.1437767505 -rw-r--r-- 1 root root 1.1G Jul 24 16:09 daemonlogger-p5p3.1437768022 -rw-r--r-- 1 root root 1.1G Jul 24 16:21 daemonlogger-p5p3.1437768591 -rw-r--r-- 1 root root 184M Jul 24 16:23 daemonlogger-p5p3.1437769280 -rw-r--r-- 1 root root 1.1G Jul 24 16:32 daemonlogger-p5p3.1437769403 -rw-r--r-- 1 root root 420M Jul 24 16:37 daemonlogger-p5p3.1437769947 I have some scripts that stop the snort / barnyard / daemonlogger processes every night. They're all restarted again once backups are finished and whatnot. I believe this is why I have so many extra files hanging around. I don't believe the program should work this way, but I can't say for cartain, as you wrote it :) I would think that the program would load the filenames into in array and drop the first one off of the list, regardless of whether it actually wrote out the file during its invocation. Thoughts? ________________________________________ From: Marty Roesch (maroesch) [maroesch () cisco com] Sent: Friday, July 24, 2015 2:27 PM To: Turnbough, Bradley E.; snort-users () lists sourceforge net Subject: Re: Daemonlogger -- Response to Marty Roesch In theory it shouldn’t make a difference, let it run and see if there’s a difference in fact. It used to work when 1.2.1 was released but I haven’t done tech support thing for my own OSS in a while so maybe something is broken on newer systems and I need to dig into it a little deeper and see what’s going on. Let me know if it prunes properly now that the size limiter is working. -- Martin Roesch - maroesch () cisco com VP/Chief Architect, Security Business Group ,,_ o" )~ Sourcefire Now a part of Cisco . : | : . : | : . ''''On 7/24/15, 3:19 PM, "Turnbough, Bradley E." <bturnbough () belcan com> wrote: That's what I was thinking as well. Yes, x86_64 uname -a: Linux awidssen01 2.6.32-431.23.3.el6.x86_64 #1 SMP Thu Jul 31 17:20:51 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux Running this: daemonlogger -i p5p3 -l /var/log/daemonlogger/p5p3 -n daemonlogger-p5p3 -p daemonlogger-p5p3.pid -r -m 5 -s 1g Produced this: [-] Interface set to p5p3 [-] Logpath set to /var/log/daemonlogger/p5p3 [-] Max files to write set to 5 [-] Log filename set to "daemonlogger-p5p3" [-] Pidfile configured to "daemonlogger-p5p3.pid" [-] Pidpath configured to "/var/run" [-] Ringbuffer active [-] Rollover configured for 1 gigabytes [-] Rollover configured for 0 none [-] Pruning behavior set to oldest IN DIRECTORY -*> DaemonLogger <*- Version 1.2.1 By Martin Roesch (C) Copyright 2006-2007 Sourcefire Inc., All rights reserved Checking partition stats for log directory "/var/log/daemonlogger/p5p3/." sniffing on interface p5p3 start_sniffing() device p5p3 network lookup: p5p3: no IPv4 address assigned It appears to be working (as I'm seeing files broken at 1gig marks), but the problem I was having before was that the files weren't being purged as they should. The initial message I sent out stated I had 156+ (1gig) files. Would the flags "-s 1g" / "-s 1000000000" make a difference functionality wise? ________________________________________ From: Marty Roesch (maroesch) [maroesch () cisco com] Sent: Friday, July 24, 2015 2:03 PM To: Turnbough, Bradley E.; snort-users () lists sourceforge net Subject: Re: Daemonlogger -- Response to Marty Roesch Well there’s your problem right there. Looks like there’s some sort of signage/wraparound issue going on. Is this on x86? Try daemonlogger -i p5p3 -l /var/log/daemonlogger/p5p3 -n daemonlogger-p5p3 -p daemonlogger-p5p3.pid -r -m 5 -s 1g And send me the runtime output from that run. -- Martin Roesch - maroesch () cisco com VP/Chief Architect, Security Business Group ,,_ o" )~ Sourcefire Now a part of Cisco . : | : . : | : . '''' On 7/24/15, 2:55 PM, "Turnbough, Bradley E." <bturnbough () belcan com> wrote:cat /etc/centos-release: CentOS release 6.5 (Final) Running this: daemonlogger -i p5p3 -l /var/log/daemonlogger/p5p3 -n daemonlogger-p5p3 -p daemonlogger-p5p3.pid -r -m 5 Produced this: [-] Interface set to p5p3 [-] Logpath set to /var/log/daemonlogger/p5p3 [-] Max files to write set to 5 [-] Log filename set to "daemonlogger-p5p3" [-] Pidfile configured to "daemonlogger-p5p3.pid" [-] Pidpath configured to "/var/run" [-] Ringbuffer active [-] Rollover size set to 18446744071562067968 bytes [-] Rollover time configured for 0 seconds [-] Pruning behavior set to oldest IN DIRECTORY -*> DaemonLogger <*- Version 1.2.1 By Martin Roesch (C) Copyright 2006-2007 Sourcefire Inc., All rights reserved Checking partition stats for log directory "/var/log/daemonlogger/p5p3/." sniffing on interface p5p3 start_sniffing() device p5p3 network lookup: p5p3: no IPv4 address assigned Logging packets to /var/log/daemonlogger/p5p3/daemonlogger-p5p3.1437764092 ________________________________________ From: Marty Roesch (maroesch) [maroesch () cisco com] Sent: Friday, July 24, 2015 1:52 PM To: Turnbough, Bradley E.; snort-users () lists sourceforge net Subject: Re: Daemonlogger -- Response to Marty Roesch What platform is this on? Can you grab the configuration output that it dumps to the screen when it runs and send that over too? Marty -- Martin Roesch - maroesch () cisco com VP/Chief Architect, Security Business Group ,,_ o" )~ Sourcefire Now a part of Cisco . : | : . : | : . '''' On 7/24/15, 2:39 PM, "Turnbough, Bradley E." <bturnbough () belcan com> wrote:FYI -- I'm running Version 1.2.1, if that helps. ________________________________________ From: Turnbough, Bradley E. [bturnbough () belcan com] Sent: Friday, July 24, 2015 1:37 PM To: snort-users () lists sourceforge net Cc: maroesch () cisco com Subject: [Snort-users] Daemonlogger -- Response to Marty Roesch Hi Marty, Sorry, but I accidentally deleted our thread. I did as you requested, but daemonlogger is not rolling over to a new file after 1Gb. Here is the file: -rw-r--r-- 1 root root 2.1G Jul 24 14:34 daemonlogger-p5p3.1437762253 Here is the command: daemonlogger -d -i p5p3 -l /var/log/daemonlogger/p5p3 -n daemonlogger-p5p3 -p daemonlogger-p5p3.pid -r -m 5 _____________________________________________________________ This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. --------------------------------------------------------------------- - -- - - ---- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! _____________________________________________________________ This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated._____________________________________________________________ This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated._____________________________________________________________ This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated._____________________________________________________________ This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated._____________________________________________________________ This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated._____________________________________________________________ This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated.
------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Daemonlogger -- Response to Marty Roesch, (continued)
- Re: Daemonlogger -- Response to Marty Roesch Turnbough, Bradley E. (Jul 24)
- Re: Daemonlogger -- Response to Marty Roesch Marty Roesch (maroesch) (Jul 24)
- Re: Daemonlogger -- Response to Marty Roesch Turnbough, Bradley E. (Jul 24)
- Re: Daemonlogger -- Response to Marty Roesch Marty Roesch (maroesch) (Jul 24)
- Re: Daemonlogger -- Response to Marty Roesch Turnbough, Bradley E. (Jul 24)
- Re: Daemonlogger -- Response to Marty Roesch Marty Roesch (maroesch) (Jul 24)
- Re: Daemonlogger -- Response to Marty Roesch Turnbough, Bradley E. (Jul 24)
- Re: Daemonlogger -- Response to Marty Roesch Marty Roesch (maroesch) (Jul 24)
- Re: Daemonlogger -- Response to Marty Roesch Turnbough, Bradley E. (Jul 27)
- Message not available
- Re: Daemonlogger -- Response to Marty Roesch Turnbough, Bradley E. (Jul 28)
- Re: Daemonlogger -- Response to Marty Roesch Marty Roesch (maroesch) (Aug 04)
- Re: Daemonlogger -- Response to Marty Roesch Marty Roesch (maroesch) (Jul 24)
- Re: Daemonlogger -- Response to Marty Roesch Turnbough, Bradley E. (Jul 24)