9.24. Logging with Snort
Problem
You want to manage Snort’s output and log files in an efficient, effective manner.
Solution
To log network trace data for later analysis:
# snort -b [-llogging-directory
] [-Lbasename
]
To examine the network trace data:
$ snort -r logfile
or use any other program that reads libpcap-format files, like Ethereal. [Recipe 9.17]
To manage the logs, don’t use
logrotate. [Recipe 9.30] Instead,
periodically tell Snort to close all of its files and restart, by
sending it a SIGHUP
signal:
# kill -HUP `pidof snort`
Then, use find to remove all files that are older than (say) a week:
# find /var/log/snort -type f -mtime +7 -print0 | xargs -0 -r rm
Finally, use find again to remove empty subdirectories:
# find /var/log/snort -mindepth 1 -depth -type d -print0 | \ xargs -0 -r rmdir -v --ignore-fail-on-non-empty
To run these commands (for example) every night at 3:30 a.m., create a cleanup script (say, /usr/local/sbin/clean-up-snort) and add a crontab entry for root:
30 3 * * * /usr/local/sbin/clean-up-snort
Discussion
To log network trace data for later analysis, use the -b option. This creates a libpcap -format binary file in the logging directory (by default, /var/log/snort) with a name like snort.log.1047160213: the digits record the start time of the trace, expressed as seconds since the epoch.[11] To convert this value to a more readable format, use either Perl or the date command:
$ perl -e 'print scalar localtime 1047160213, "\n";' Sat Mar 8 16:50:13 2003 $ date -d ...
Get Linux Security Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.