diff options
author | bmeeks8 <bmeeks8@bellsouth.net> | 2014-09-13 10:38:02 -0400 |
---|---|---|
committer | bmeeks8 <bmeeks8@bellsouth.net> | 2014-09-13 10:38:02 -0400 |
commit | 3ded21fc48a46974795072defc35541dc2f0690b (patch) | |
tree | 54e5ffa22148999fe6f938f261da2b35b9451ca1 /config/snort/snort_check_cron_misc.inc | |
parent | 3aba4f55b08aa2fbeec7af5a4a1063c2f91e3355 (diff) | |
download | pfsense-packages-3ded21fc48a46974795072defc35541dc2f0690b.tar.gz pfsense-packages-3ded21fc48a46974795072defc35541dc2f0690b.tar.bz2 pfsense-packages-3ded21fc48a46974795072defc35541dc2f0690b.zip |
Add handler and install code for new LOG MGMT function.
Diffstat (limited to 'config/snort/snort_check_cron_misc.inc')
-rw-r--r-- | config/snort/snort_check_cron_misc.inc | 110 |
1 files changed, 95 insertions, 15 deletions
diff --git a/config/snort/snort_check_cron_misc.inc b/config/snort/snort_check_cron_misc.inc index 9a1c7833..0f9b80ab 100644 --- a/config/snort/snort_check_cron_misc.inc +++ b/config/snort/snort_check_cron_misc.inc @@ -33,6 +33,7 @@ require_once("/usr/local/pkg/snort/snort.inc"); $snortlogdir = SNORTLOGDIR; +global $g, $config; function snort_check_dir_size_limit($snortloglimitsize) { @@ -88,6 +89,56 @@ function snort_check_dir_size_limit($snortloglimitsize) { } } +function snort_check_rotate_log($log_file, $log_limit, $retention) { + + /******************************************************** + * This function checks the passed log file against * + * the passed size limit and rotates the log file if * + * necessary. It also checks the age of previously * + * rotated logs and removes those older than the * + * rentention parameter. * + * * + * On Entry: $log_file -> full pathname/filename of * + * log file to check * + * $log_limit -> size of file in bytes to * + * trigger rotation. Zero * + * means no rotation. * + * $retention -> retention period in hours * + * for rotated logs. Zero * + * means never remove. * + ********************************************************/ + + // Check the current log to see if it needs rotating. + // If it does, rotate it and put the current time + // on the end of the filename as UNIX timestamp. + if (!file_exists($log_file)) + return; + if (($log_limit > 0) && (filesize($log_file) >= $log_limit)) { + $newfile = $log_file . "." . strval(time()); + try { + copy($log_file, $newfile); + file_put_contents($log_file, ""); + } catch (Exception $e) { + log_error("[Snort] Failed to rotate file '{$log_file}' -- error was {$e->getMessage()}"); + } + } + + // Check previously rotated logs to see if time to + // delete any older than the retention period. + // Rotated logs have a UNIX timestamp appended to + // filename. + if ($retention > 0) { + $now = time(); + $rotated_files = glob("{$log_file}.*"); + foreach ($rotated_files as $file) { + if (($now - filemtime($file)) > ($retention * 3600)) + unlink_if_exists($file); + } + unset($rotated_files); + } +} + + /************************* * Start of main code * *************************/ @@ -96,27 +147,56 @@ function snort_check_dir_size_limit($snortloglimitsize) { if ($g['booting'] == true) return; +$logs = array (); + +// Build an array of files to check and limits to check them against from our saved configuration +$logs['sid_changes.log']['limit'] = $config['installedpackages']['snortglobal']['sid_changes_log_limit_size']; +$logs['sid_changes.log']['retention'] = $config['installedpackages']['snortglobal']['sid_changes_log_retention']; + // If no interfaces defined, there is nothing to clean up if (!is_array($config['installedpackages']['snortglobal']['rule'])) return; -// Check unified2 archived log retention in the interface logging directories if enabled -foreach ($config['installedpackages']['snortglobal']['rule'] as $value) { - $if_real = get_real_interface($value['interface']); - $snort_log_dir = SNORTLOGDIR . "/snort_{$if_real}{$value['uuid']}"; - if (is_dir("{$snort_log_dir}/barnyard2/archive") && $value['u2_archived_log_retention'] > 0) { - $now = time(); - $files = glob("{$snort_log_dir}/barnyard2/archive/snort_{$value['uuid']}_{$if_real}.u2.*"); - $prune_count = 0; - foreach ($files as $f) { - if (($now - filemtime($f)) > ($value['u2_archived_log_retention'] * 3600)) { - $prune_count++; - unlink_if_exists($f); +// Check log limits and retention in the interface logging directories if enabled +if ($config['installedpackages']['snortglobal']['enable_log_mgmt'] == 'on') { + foreach ($config['installedpackages']['snortglobal']['rule'] as $value) { + $if_real = get_real_interface($value['interface']); + $snort_log_dir = SNORTLOGDIR . "/snort_{$if_real}{$value['uuid']}"; + foreach ($logs as $k => $p) { + snort_check_rotate_log("{$snort_log_dir}/{$k}", $p['limit']*1024, $p['retention']); + } + + // Prune aged-out event packet capture files if any exist + if ($config['installedpackages']['snortglobal']['event_pkts_log_retention'] > 0) { + $now = time(); + $rotated_files = glob("{$snort_log_dir}/snort.log.*"); + $prune_count = 0; + foreach ($rotated_files as $file) { + if (($now - filemtime($file)) > ($config['installedpackages']['snortglobal']['event_pkts_log_retention'] * 3600)) { + $prune_count++; + unlink_if_exists($file); + } + } + unset($rotated_files); + if ($prune_count > 0) + log_error(gettext("[Snort] Alert pcap file cleanup job removed {$prune_count} pcap file(s) from {$snort_log_dir}/...")); + } + + // Prune any aged-out Barnyard2 archived logs if any exist + if (is_dir("{$snort_log_dir}/barnyard2/archive") && $value['u2_archived_log_retention'] > 0) { + $now = time(); + $files = glob("{$snort_log_dir}/barnyard2/archive/snort_{$value['uuid']}_{$if_real}.u2.*"); + $prune_count = 0; + foreach ($files as $f) { + if (($now - filemtime($f)) > ($value['u2_archived_log_retention'] * 3600)) { + $prune_count++; + unlink_if_exists($f); + } } + unset($files); + if ($prune_count > 0) + log_error(gettext("[Snort] Barnyard2 archived logs cleanup job removed {$prune_count} file(s) from {$snort_log_dir}/barnyard2/archive/...")); } - unset($files); - if ($prune_count > 0) - log_error(gettext("[Snort] Barnyard2 archived logs cleanup job removed {$prune_count} file(s) from {$snort_log_dir}/barnyard2/archive/...")); } } |