Forums

Resolved
0 votes
More specifically Snort filled up the /var/log/snort folder and it does not appear that it being cleaned up properly, two type of files are appearing in that folder: syslog... and snort.log...

I found the following configuration in /etc/logrotate.d/snort for syslog:

/var/log/snort/syslog {
missingok
postrotate
/sbin/service snort condrestart >/dev/null 2>&1 || true
endscript
}


syslog... file seems to be configured properly, but can not find much for snort.log... files. I am not even sure if this is a log file it seem to be binary. Here is what I found in the snort.conf

###################################################
# Step #6: Configure output plugins
# For more information, see Snort Manual, Configuring Snort - Output Modules
###################################################

# unified2
# Recommended for most installs
# output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types

# Additional configuration for specific types of installs
# output alert_unified2: filename snort.alert, limit 128, nostamp
# output log_unified2: filename snort.log, limit 128, nostamp

# syslog
output alert_syslog: LOG_AUTHPRIV LOG_ALERT


I think this might be some type of analysis log? but these captures are filling up my file system. Anyone else is seeing this problem? are they at the wrong place? Is there a log rotation cleanup configuration required for this?
Friday, May 19 2017, 02:43 PM
Share this post:
Responses (3)
  • Accepted Answer

    Saturday, May 20 2017, 03:04 PM - #Permalink
    Resolved
    0 votes
    I thought I responded to this yesterday. Don't know what happened there.

    My system is the same. I am not sure what controls the snort.log.... files, but logrotate won't help there is the current file keeps changing name. The utility tmpwatch may help.

    Did you post your full /etc/logrotate.d/snort file or do you have a section for /var/log/snortsam? I can't remember if I created the snortsam section. If I didn't, there is an odd bug/feature in that each logrotate it restarts snort twice, once after syslog rotates and once after snortsam rotates. This is a bit silly and easily avoidable.

    [edit]
    Never mind about posting your /etc/logrotate.d/snort file. I've downloaded the rpm and the file is the same as mine. I've filed a bug for a minor tweak, but it may go nowhere as that branch is now EoL and there is already another bug raised to change versions of snort.
    [/edit]
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, May 21 2017, 02:07 PM - #Permalink
    Resolved
    0 votes
    Hello Nick

    Thanks for the reply. As you probably already guess, no I did not post the entire logrotate. From what I understand even if Snortsam shows as a different service it is a plugin to Snort and when restarted they are probably intertwined, considering combining all the logs in the rotation might be appropriate?

    This bug disrupted the operation of my Gateway and a reminder that I should have made the log folder its own logical volume. I understand that an update to Snort is well overdue but this bug is in both version 6 & 7 of ClearOs, not sure how wise to ignore.

    Something like:
    /var/log/snort.log
    { rotate 2 size 50k compress notifempty copytruncate missingok }
    could be helpful?
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, May 21 2017, 03:10 PM - #Permalink
    Resolved
    0 votes
    Your logrotate function won't work as there is no log file /var/log/snort.log. That is why I suggested tmpwatch which is another neat utility and will delete files based on date. Have a look at /etc/cron.daily/tmpwatch for an example which is a bit OTT for what you need.

    My amended /etc/logrotate.d/snort file now looks like:
    # Logrotates combined by njh to stop snort restarting twice on rotation
    /var/log/snort/syslog /var/log/snortsam {
    missingok
    sharedscripts
    postrotate
    /sbin/service snort condrestart >/dev/null 2>&1 || true
    endscript

    As part of the postrotate scripts you could try something like (untested):
    tmpwatch 70d --all -m /var/log/snort.log.*
    I can't remember what the switches mean. I've just nicked it from another thing of mine. You don't need all the switches as one is is for deleting folders which I needed. Alternatively you could put that line into a cron.daily or cron.weekly job.
    The reply is currently minimized Show
Your Reply