You want to manage Snort's output and log files in an efficient, effective manner.
To log network trace data for later analysis:
# snort -b [-l logging-directory] [-L basename]
To examine the network trace data:
$ snort -r logfile
or use any other program that reads libpcap-format files, like Ethereal. [Recipe 9.17]
To manage the logs, don't use logrotate. [Recipe 9.30] Instead, periodically tell Snort to close all of its files and restart, by sending it a SIGHUP signal:
# kill -HUP `pidof snort`
Then, use find to remove all files that are older than (say) a week:
# find /var/log/snort -type f -mtime +7 -print0 | xargs -0 -r rm
Finally, use find again to remove empty subdirectories:
# find /var/log/snort -mindepth 1 -depth -type d -print0 | \ xargs -0 -r rmdir -v --ignore-fail-on-non-empty
To run these commands (for example) every night at 3:30 a.m., create a cleanup script (say, /usr/local/sbin/clean-up-snort) and add a crontab entry for root:
30 3 * * * /usr/local/sbin/clean-up-snort
To log network trace data for later analysis, use the -b option. This creates a libpcap-format binary file in the logging directory (by default, /var/log/snort) with a name like snort.log.1047160213: the digits record the start time of the trace, expressed as seconds since the epoch. To convert this value to a more readable format, use either Perl or the date command:
 The Unix "epoch" occurred on January 1, 1970, at midnight UTC.
$ perl -e 'print scalar localtime 1047160213, "\n";' Sat Mar 8 16:50:13 2003 $ date -d "1970-01-01 utc + 1047160213 sec" Sat Mar 8 16:50:13 EST 2003
To learn the ending time of the trace, see the modification time of the file:
# ls --full-time -o snort.log.1047160213 -rw------- 1 root 97818 Sat Mar 08 19:05:47 2003 snort.log.1047160213
or use snort -r to examine the network trace data.
You can specify a different logging directory with the -l option, or an alternate basename (instead of snort.log) with the -L option: the start timestamp is still added to the filename.
Since Snort filenames contain timestamps, and the formatted logging files might be split into separate directories, logrotate [Recipe 9.30] is not an ideal mechanism for managing your log files. Use the method we suggest, or something similar.
snort(8), logrotate(8). The Snort home page is http://www.snort.org.