snort log file question

ziegen · 04-29-2004, 11:12 AM

I have a question about snort and have been looking through the man pages etc and cant seem to find anything. I have a mandrake 10 box and run snort in a basic mode
snort -l /var/log/snort -c snort.conf
when I look in the /var/log/snort I find some ip address and an alert file. The alert file keeps growing and it hard to parse through. I was wondering if this file could be taged with a separate date. This would make it easier to view info for each date.

unSpawn · 05-02-2004, 04:23 PM

The alert file keeps growing and it hard to parse through.
What you could do is run logrotate on the logs and add a logparser (depends on what format you log in) to the prerotate section, or run a logparser hourly for reporting.

ziegen · 05-13-2004, 11:25 AM

I did some research on logrotate and I changed the following in the /etc/logrotate.d/snort

/var/log/snort/alert /var/log/snort/*log {
daily
rotate 7
missingok
compress
postrotate
/etc/init.d/snortd restart 2>/dev/nul || true
endscript
}

now when I run snort >> snort -l /var/log/snort -c snort.conf << it will .gz the file and tag it alert1.gz, alert2.gz etc. The only problem is when it zips up the alert file it stops snort from running and doesn't restart it. Any ideas on how to have it start it automatically?

unSpawn · 05-13-2004, 01:53 PM

I'd say try plain /etc/init.d/snortd restart and see what errors it gives. BTW, null is with two l's.

ziegen · 05-13-2004, 02:20 PM

There is two ll, sorry typo. I have two terminals open one running snort -l /var/log/snort -c snort.conf and the other is looking at the /etc/var/log/snort file. When the alert file is .gz then the terminal that was running snort is setting at the #. I restarted snort this am and I'm waiting for the alert file to compress then I check the /etc/init.d and run ./snortd status

ziegen · 05-14-2004, 07:31 PM

I checked the log today. Snort has stoped running since the last .gz alert file and when I run /etc/init.d snortd status it comes back with snort dead but subsys locked. How should I get snort to run after it .gz the alert file?

unSpawn · 05-15-2004, 03:42 AM

Snort has stoped running since the last .gz alert file and when I run /etc/init.d snortd status it comes back with snort dead but subsys locked.
Weird. Only ways I can imagine Snort stopping is when:
- the config files or rules where updated and Snort stumbled over an error (like with older versions of Snort and rules using say PCRE tags),
- network was brought down (it's a libpcap app, happens to all of them),
- it couldn't find it's logs while writing (unsure about that, haven't tested it).

In this case of subsys locks, if you execute "/etc/init.d/snortd stop" the subsys lock would be cleaned up, then issue a "/etc/init.d/snortd start".
Depending on your initscript "restart" would do the same, or not.

ziegen · 05-19-2004, 02:45 PM

I checked out another laptop I have running mandrake 9.1 and it didn't have the /etc/logrotate.d/snort file. i created it just as above ran chmod +x, ran snort and it ziped up the file fine. Only it didn't start snort back up. Anyone have any ideas on how to start snort back up automatically after it .gz the file?

unSpawn · 05-29-2004, 07:24 AM

In your logrotate script, add a postrotate statement, something like this:
"pgrep snort >/dev/null && kill -s 1 /usr/bin/snort || echo /etc/init.d/snort restart". If it's already running ask it to reread it's conf and close/open files, else do a hard restart.

ziegen · 08-19-2004, 02:49 PM

I have loaded snort on a server with 2 gig interface and 1 10/100 interface. Snort will run from /etc/snort when you issue the cmd snort -l /var/log/snort -c snort.conf. I have set up the log rotate and it works but snortd will not run. I issue the cmd in /etc/rc.d/init.d ./snortd status, stop, start and I get failed all the time. What could cause snort to run but not the daemon in /etc/rc.d/init.d...?