pfSense » pfSense Packages

The Snort package has an option under Services -> Snort -> Interfaces -> Log Mgmt to configure "Log Size and Retention Limits" for the following logs:

GUI name: alert
Name in config.xml: <alert_log_limit_size> | <alert_log_retention>
Actual log filename: 'alert'

GUI name: appid-stats
Name in config.xml: <appid_stats_log_limit_size> | <appid_stats_log_retention>
Actual log filename: app-stats.log

GUI name: event_pcaps
Name in config.xml: <event_log_limit_size> | <event_log_retention>

GUI name: sid_changes
Name in config.xml: <sid_changes_log_limit_size> | <sid_changes_log_retention>

GUI name: stats
Name in config.xml: <appid_stats_log_limit_size> | <appid_stats_log_retention>
Actual log filename: snort.log

When retention is configured, a check occurs every 5 minutes (cronjob) to determine if any rotated logs are older than the retention time configured for that log set. This check is performed by the function 'snort_check_rotate_log' in snort_check_cron_misc.inc

The function is passed three parameters to evaluate with: snort_log_dir, limit, and retention

Those parameters are defined in the 'logs' array. For each index in the array, pass the appropriate parameters for that log set to'snort_check_rotate_logs'.

Only one set of logs are being assigned to 'logs', resulting in other log sets not being removed when the check occurs:
$logs['sid_changes.log']['limit'] = $config['installedpackages']['snortglobal']['sid_changes_log_limit_size'];
$logs['sid_changes.log']['retention'] = $config['installedpackages']['snortglobal']['sid_changes_log_retention'];

This can cause the partition to fill-up until the logs are manually removed. There will also be log entries every 5 minutes indicating the directory size limit has been exceeded.

I was able to get logs to properly clear out when expired by adding the other log sets to 'logs':
$logs['app-stats.log']['limit'] = $config['installedpackages']['snortglobal']['appid_stats_log_limit_size'];
$logs['app-stats.log']['retention'] = $config['installedpackages']['snortglobal']['appid_stats_log_retention'];
$logs['alert']['limit'] = $config['installedpackages']['snortglobal']['alert_log_limit_size'];
$logs['alert']['retention'] = $config['installedpackages']['snortglobal']['alert_log_retention'];
$logs['snort.log']['limit'] = $config['installedpackages']['snortglobal']['stats_log_limit_size'];
$logs['snort.log']['retention'] = $config['installedpackages']['snortglobal']['stats_log_retention'];

I also modified the if loops within the 'snort_check_rotate_log' function to include brackets but I don't know that it was necessary. I had some issues getting debug information in portions of the function as though it was exiting the function before running all the checks within it but it probably was a result of something I did while testing.