Log Rotation for snort log does not seem to be working CentOS4.5

JasonKretzer · 06-21-2007, 10:31 AM

Hey Gang,

Another day, another issue...

for some reason the log file for snort

/var/log/snort/alert

is not getting rotated daily. It is just getting
bigger and bigger. I have taken a look at the
logrotate services and it should be rotating properly.
Anyone have any ideas here? I am attaching the
appropriate logrotate config files below. Let me know if you need more information.

Thanks,

-Jason

============================================

Code:

# /etc/logrotate.conf
# see "man logrotate" for details
# rotate log files weekly
weekly

# keep 4 weeks worth of backlogs
rotate 4

# create new (empty) log files after rotating old ones
create

# uncomment this if you want your log files compressed
#compress

# RPM packages drop log rotation information into this
directory
include /etc/logrotate.d

# no packages own wtmp -- we'll rotate them here
/var/log/wtmp {
monthly
create 0664 root utmp
rotate 1
}

============================================

============================================

Code:

# /etc/logrotate.d/snort
# $Id$

/var/log/snort/alert /var/log/snort/*log
/var/log/snort/*/alert /var/log/snort/*/*log {
daily
rotate 7
compress
missingok
notifempty
create 0640 snort adm
sharedscripts
postrotate
/etc/init.d/snortd restart 1>/dev/null || true
endscript
}

============================================

Anything I am missing here?

unSpawn · 06-22-2007, 03:25 PM

What shows if you logrotate manually using the 'force' arg?

JasonKretzer · 06-25-2007, 07:57 AM

DOH! Found it. It was crapping out because it could not find

/var/log/snort/*log
/var/log/snort/*/alert /var/log/snort/*/*log

For some reason, this caused the logrotate not to work...

I would not have found that as quickly without your suggestion to use the "force" command.

Thanks,

-Jason

unSpawn · 06-25-2007, 12:25 PM

Well, using the Force comes naturally with some, innit? :-]