More specifically Snort filled up the /var/log/snort folder and it does not appear that it being cleaned up properly, two type of files are appearing in that folder: syslog... and snort.log...
I found the following configuration in /etc/logrotate.d/snort for syslog:
syslog... file seems to be configured properly, but can not find much for snort.log... files. I am not even sure if this is a log file it seem to be binary. Here is what I found in the snort.conf
I think this might be some type of analysis log? but these captures are filling up my file system. Anyone else is seeing this problem? are they at the wrong place? Is there a log rotation cleanup configuration required for this?
I found the following configuration in /etc/logrotate.d/snort for syslog:
/var/log/snort/syslog {
missingok
postrotate
/sbin/service snort condrestart >/dev/null 2>&1 || true
endscript
}
syslog... file seems to be configured properly, but can not find much for snort.log... files. I am not even sure if this is a log file it seem to be binary. Here is what I found in the snort.conf
###################################################
# Step #6: Configure output plugins
# For more information, see Snort Manual, Configuring Snort - Output Modules
###################################################
# unified2
# Recommended for most installs
# output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types
# Additional configuration for specific types of installs
# output alert_unified2: filename snort.alert, limit 128, nostamp
# output log_unified2: filename snort.log, limit 128, nostamp
# syslog
output alert_syslog: LOG_AUTHPRIV LOG_ALERT
I think this might be some type of analysis log? but these captures are filling up my file system. Anyone else is seeing this problem? are they at the wrong place? Is there a log rotation cleanup configuration required for this?
Share this post:
Responses (3)
-
Accepted Answer
I thought I responded to this yesterday. Don't know what happened there.
My system is the same. I am not sure what controls the snort.log.... files, but logrotate won't help there is the current file keeps changing name. The utility tmpwatch may help.
Did you post your full /etc/logrotate.d/snort file or do you have a section for /var/log/snortsam? I can't remember if I created the snortsam section. If I didn't, there is an odd bug/feature in that each logrotate it restarts snort twice, once after syslog rotates and once after snortsam rotates. This is a bit silly and easily avoidable.
[edit]
Never mind about posting your /etc/logrotate.d/snort file. I've downloaded the rpm and the file is the same as mine. I've filed a bug for a minor tweak, but it may go nowhere as that branch is now EoL and there is already another bug raised to change versions of snort.
[/edit] -
Accepted Answer
Hello Nick
Thanks for the reply. As you probably already guess, no I did not post the entire logrotate. From what I understand even if Snortsam shows as a different service it is a plugin to Snort and when restarted they are probably intertwined, considering combining all the logs in the rotation might be appropriate?
This bug disrupted the operation of my Gateway and a reminder that I should have made the log folder its own logical volume. I understand that an update to Snort is well overdue but this bug is in both version 6 & 7 of ClearOs, not sure how wise to ignore.
Something like:
could be helpful?/var/log/snort.log
{ rotate 2 size 50k compress notifempty copytruncate missingok } -
Accepted Answer
Your logrotate function won't work as there is no log file /var/log/snort.log. That is why I suggested tmpwatch which is another neat utility and will delete files based on date. Have a look at /etc/cron.daily/tmpwatch for an example which is a bit OTT for what you need.
My amended /etc/logrotate.d/snort file now looks like:# Logrotates combined by njh to stop snort restarting twice on rotation
/var/log/snort/syslog /var/log/snortsam {
missingok
sharedscripts
postrotate
/sbin/service snort condrestart >/dev/null 2>&1 || true
endscript
As part of the postrotate scripts you could try something like (untested):
I can't remember what the switches mean. I've just nicked it from another thing of mine. You don't need all the switches as one is is for deleting folders which I needed. Alternatively you could put that line into a cron.daily or cron.weekly job.tmpwatch 70d --all -m /var/log/snort.log.*
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »