Snort log rotation suggestions

zerocomm · 05-26-2004, 03:41 PM

Hi.

I run snort on my NIDS and I want to be able to rotate these log files every 3 months so I don't have extremely stale logs laying around. I already have a method to permanently back them up, so this is just to keep the directory coherent.

Snort logs are saved in /var/log/snort. This is what the contents of the directory lok like.

/var/log/snort contents:

(ip)xxx.xxx.x.xxx (ip)xxx.xxx.xxx.xx/ (ip)xxx.xxx.xxx.xxx/ alert

Capt_Caveman · 05-26-2004, 10:23 PM

Have you tried just using logrotate? Just create a file in the /etc/logrotate.d/ directory (you can name it snort). Then depending on what you want to do (check the logrotate man page), you can write a small script to handle the rotation. You can set it up to compress the alert file, move it to an archive, then wipe the contents of /var/log/snort, then make a new alert file and restart snort. Using the postrotate option to execute those commands as sort of a "mini-script" works well.