Project

General

Profile

Actions

Bug #8577

closed

Snort - Log retention not working

Added by Clinton Cory almost 6 years ago. Updated almost 5 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Snort
Target version:
-
Start date:
06/16/2018
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
2.4.3_1
Affected Plus Version:
Affected Architecture:

Description

The Snort package has an option under Services -> Snort -> Interfaces -> Log Mgmt to configure "Log Size and Retention Limits" for the following logs:

GUI name: alert
Name in config.xml: <alert_log_limit_size> | <alert_log_retention>
Actual log filename: 'alert'

GUI name: appid-stats
Name in config.xml: <appid_stats_log_limit_size> | <appid_stats_log_retention>
Actual log filename: app-stats.log

GUI name: event_pcaps
Name in config.xml: <event_log_limit_size> | <event_log_retention>

GUI name: sid_changes
Name in config.xml: <sid_changes_log_limit_size> | <sid_changes_log_retention>

GUI name: stats
Name in config.xml: <appid_stats_log_limit_size> | <appid_stats_log_retention>
Actual log filename: snort.log

When retention is configured, a check occurs every 5 minutes (cronjob) to determine if any rotated logs are older than the retention time configured for that log set. This check is performed by the function 'snort_check_rotate_log' in snort_check_cron_misc.inc

The function is passed three parameters to evaluate with: snort_log_dir, limit, and retention

Those parameters are defined in the 'logs' array. For each index in the array, pass the appropriate parameters for that log set to'snort_check_rotate_logs'.

Only one set of logs are being assigned to 'logs', resulting in other log sets not being removed when the check occurs:
$logs['sid_changes.log']['limit'] = $config['installedpackages']['snortglobal']['sid_changes_log_limit_size'];
$logs['sid_changes.log']['retention'] = $config['installedpackages']['snortglobal']['sid_changes_log_retention'];

This can cause the partition to fill-up until the logs are manually removed. There will also be log entries every 5 minutes indicating the directory size limit has been exceeded.

I was able to get logs to properly clear out when expired by adding the other log sets to 'logs':
$logs['app-stats.log']['limit'] = $config['installedpackages']['snortglobal']['appid_stats_log_limit_size'];
$logs['app-stats.log']['retention'] = $config['installedpackages']['snortglobal']['appid_stats_log_retention'];
$logs['alert']['limit'] = $config['installedpackages']['snortglobal']['alert_log_limit_size'];
$logs['alert']['retention'] = $config['installedpackages']['snortglobal']['alert_log_retention'];
$logs['snort.log']['limit'] = $config['installedpackages']['snortglobal']['stats_log_limit_size'];
$logs['snort.log']['retention'] = $config['installedpackages']['snortglobal']['stats_log_retention'];

I also modified the if loops within the 'snort_check_rotate_log' function to include brackets but I don't know that it was necessary. I had some issues getting debug information in portions of the function as though it was exiting the function before running all the checks within it but it probably was a result of something I did while testing.

Actions #1

Updated by Bill Meeks over 5 years ago

Thanks for the bug report. I will get this fixed up in the next Snort GUI package update.

Bill

Actions #2

Updated by Bill Meeks almost 5 years ago

This issue is resolved and this ticket can be closed.

Actions #3

Updated by Jim Pingle almost 5 years ago

  • Status changed from New to Resolved
Actions

Also available in: Atom PDF