LinuxQuestions.org - Snort log rotation suggestions

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - Snort log rotation suggestions (https://www.linuxquestions.org/questions/linux-security-4/snort-log-rotation-suggestions-186202/)

zerocomm

05-26-2004 03:41 PM

Snort log rotation suggestions

Hi.

I run snort on my NIDS and I want to be able to rotate these log files every 3 months so I don't have extremely stale logs laying around. I already have a method to permanently back them up, so this is just to keep the directory coherent.

Snort logs are saved in /var/log/snort. This is what the contents of the directory lok like.

/var/log/snort contents:

(ip)xxx.xxx.x.xxx (ip)xxx.xxx.xxx.xx/ (ip)xxx.xxx.xxx.xxx/ alert

Capt_Caveman

05-26-2004 10:23 PM

Have you tried just using logrotate? Just create a file in the /etc/logrotate.d/ directory (you can name it snort). Then depending on what you want to do (check the logrotate man page), you can write a small script to handle the rotation. You can set it up to compress the alert file, move it to an archive, then wipe the contents of /var/log/snort, then make a new alert file and restart snort. Using the postrotate option to execute those commands as sort of a "mini-script" works well.

All times are GMT -5. The time now is 10:28 AM.