This is the log rotation script and nightly report generator that I use with snort. It is missing the final purge section which is different from install to install. The original client I wrote this for had a 23gb var partition, and the machines only purpose was to run snort, so it was no problem keeping the tar files around for over a year.
You'll notice I use snort_stat.pl to generate the reports. I did a fair amount of testing and found snort_stat.pl by Yen-Ming Chen to be good choice, plus it is was easy to modify where needed. Check out http://www.snort.org/dl/contrib/data_analysis/ for this file and more.
The other piece of code you'll see referenced is the ids_mailer.pl which is simply a secure sendmail interface to send out the nightly reports. I'm not going to post it at this time since there is really nothing to be learned from it.
#!/bin/sh # Shell script for IDS user cron job which will # handle generating reports via snort_stat.pl # and email the results via ids_mailer.pl # # Written by Mike Tremaine # Copyright 12/12/2002 ########################### #Check date if its 1st of month #Tar up all .reports into a monthly tar.gz #Todo: #Question is how long to keep the monthly tar? 12months? #last thing should be to remove 13month ago tar from each? #Globals check_day=`date +%e` month_label=`date -d yesterday +%Y-%m` date=`date -d yesterday +%Y-%m-%d` last_week=`date -d -192hours +%Y-%m-%d` last_month=`date -d -1month +%Y-%m` ########################### #Get yesterday in log file format (see my snortd) -mgt if ! [ -f /var/log/snort/ids_reports/$date.report ]; then cat /var/log/snort/logs_$date/alert | /var/log/snort/bin/snort_stat.pl -r > \ /var/log/snort/ids_reports/$date.report /var/log/snort/bin/ids_mailer.pl $date fi ########################### #Next tar up log directory from 7days ago cd /var/log/snort if [ -d /var/log/snort/logs_$last_week ]; then tar cfz /var/log/snort/logs_$last_week.tar.gz ./logs_$last_week/ if [ -s /var/log/snort/logs_$last_week.tar.gz ]; then rm -r -f ./logs_$last_week fi fi ######################### #Tar up reports if its the 1st if [ $check_day = 1 ] && [ -f /var/log/snort/ids_reports/$date.report ]; then cd /var/log/snort/ids_reports tar cfz /var/log/snort/ids_reports/$month_label.tar.gz ./$month_label-*.report if [ -s /var/log/snort/ids_reports/$month_label.tar.gz ]; then rm -f ./$month_label-*.report fi fi ########################## #Next create monthly tars to hold dailies #ON the 15th if [ $check_day = 15 ] && \ [ -f /var/log/snort/logs_$last_month-15.tar.gz ]; then tar cf /var/log/snort/logs_$last_month.tar ./logs_$last_month-*.tar.gz if [ -s /var/log/snort/logs_$last_month.tar ]; then rm -f ./logs_$last_month-*.tar.gz fi fi exit 0
Stellarcore.net