From 51e70ca039db270bfb2678034fc0d8789715b690 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Fri, 10 Jan 2014 23:49:43 -0500 Subject: Fix auto log limit cleanup so it actually works. --- config/snort/snort_check_cron_misc.inc | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) (limited to 'config/snort/snort_check_cron_misc.inc') diff --git a/config/snort/snort_check_cron_misc.inc b/config/snort/snort_check_cron_misc.inc index e988b949..c1835dd0 100644 --- a/config/snort/snort_check_cron_misc.inc +++ b/config/snort/snort_check_cron_misc.inc @@ -52,27 +52,32 @@ if ($snortloglimit == 'off') if (!is_array($config['installedpackages']['snortglobal']['rule'])) return; -$snortloglimitDSKsize = exec('/bin/df -k /var | grep -v "Filesystem" | awk \'{print $4}\''); - foreach ($config['installedpackages']['snortglobal']['rule'] as $value) { $if_real = snort_get_real_interface($value['interface']); $snort_uuid = $value['uuid']; - $snort_log_dir = "/var/log/snort/snort_{$if_real}{$snort_uuid}"; + $snort_log_dir = SNORTLOGDIR . "/snort_{$if_real}{$snort_uuid}"; if (file_exists("{$snort_log_dir}/alert")) { $snortlogAlertsizeKB = snort_Getdirsize("{$snort_log_dir}/alert"); - $snortloglimitAlertsizeKB = round($snortlogAlertsizeKB * .70); $snortloglimitsizeKB = round($snortloglimitsize * 1024); - /* do I need HUP kill ? */ if (snort_Getdirsize($snort_log_dir) >= $snortloglimitsizeKB ) { conf_mount_rw(); - if ($snortlogAlertsizeKB >= $snortloglimitAlertsizeKB) - @file_put_contents("{$snort_log_dir}/alert", ""); + log_error(gettext("[Snort] Snort Log directory size exceeds limit set in Global Settings.")); + log_error(gettext("[Snort] Logs for {$value['descr']} ({$if_real}) will be truncated.")); snort_post_delete_logs($snort_uuid); + $fd = @fopen("{$snort_log_dir}/alert", "w+"); + if ($fd) + fclose($fd); + /* XXX: This is needed if snort is run as snort user */ + mwexec('/bin/chmod 660 /var/log/snort/*', true); + /* XXX: Soft-restart Snort process to resync logging */ + if (file_exists("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid")) { + log_error(gettext("[Snort] Restarting logging on {$value['descr']} ({$if_real})")); + mwexec("/bin/pkill -HUP -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid -a"); + } conf_mount_ro(); } - } } -- cgit v1.2.3 From ba3edc934faf8887fd5ea9e785392d84f2cd288c Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Sat, 11 Jan 2014 11:49:44 -0500 Subject: More fixes for auto log cleanup cron job. --- config/snort/snort_check_cron_misc.inc | 54 +++++++++++++++++++++------------- 1 file changed, 34 insertions(+), 20 deletions(-) (limited to 'config/snort/snort_check_cron_misc.inc') diff --git a/config/snort/snort_check_cron_misc.inc b/config/snort/snort_check_cron_misc.inc index c1835dd0..038a11cd 100644 --- a/config/snort/snort_check_cron_misc.inc +++ b/config/snort/snort_check_cron_misc.inc @@ -52,33 +52,47 @@ if ($snortloglimit == 'off') if (!is_array($config['installedpackages']['snortglobal']['rule'])) return; -foreach ($config['installedpackages']['snortglobal']['rule'] as $value) { - $if_real = snort_get_real_interface($value['interface']); - $snort_uuid = $value['uuid']; - $snort_log_dir = SNORTLOGDIR . "/snort_{$if_real}{$snort_uuid}"; +/* Convert Log Limit Size setting from MB to KB */ +$snortloglimitsizeKB = round($snortloglimitsize * 1024); +$snortlogdirsizeKB = snort_Getdirsize(SNORTLOGDIR); +if ($snortlogdirsizeKB > 0 && $snortlogdirsizeKB > $snortloglimitsizeKB) { + log_error(gettext("[Snort] Log directory size exceeds configured limit of " . number_format($snortloglimitsize) . " MB set on Global Settings tab. All Snort log files will be truncated.")); + conf_mount_rw(); - if (file_exists("{$snort_log_dir}/alert")) { - $snortlogAlertsizeKB = snort_Getdirsize("{$snort_log_dir}/alert"); - $snortloglimitsizeKB = round($snortloglimitsize * 1024); + /* Truncate the Rules Update Log file if it exists */ + if (file_exists(RULES_UPD_LOGFILE)) { + log_error(gettext("[Snort] Truncating the Rules Update Log file...")); + $fd = @fopen(RULES_UPD_LOGFILE, "w+"); + if ($fd) + fclose($fd); + } + + /* Clean-up the logs for each configured Snort instance */ + foreach ($config['installedpackages']['snortglobal']['rule'] as $value) { + $if_real = snort_get_real_interface($value['interface']); + $snort_uuid = $value['uuid']; + $snort_log_dir = SNORTLOGDIR . "/snort_{$if_real}{$snort_uuid}"; + log_error(gettext("[Snort] Truncating logs for {$value['descr']} ({$if_real})...")); + snort_post_delete_logs($snort_uuid); - if (snort_Getdirsize($snort_log_dir) >= $snortloglimitsizeKB ) { - conf_mount_rw(); - log_error(gettext("[Snort] Snort Log directory size exceeds limit set in Global Settings.")); - log_error(gettext("[Snort] Logs for {$value['descr']} ({$if_real}) will be truncated.")); - snort_post_delete_logs($snort_uuid); + /* Truncate the alert log file if it exists */ + if (file_exists("{$snort_log_dir}/alert")) { $fd = @fopen("{$snort_log_dir}/alert", "w+"); if ($fd) fclose($fd); - /* XXX: This is needed if snort is run as snort user */ - mwexec('/bin/chmod 660 /var/log/snort/*', true); - /* XXX: Soft-restart Snort process to resync logging */ - if (file_exists("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid")) { - log_error(gettext("[Snort] Restarting logging on {$value['descr']} ({$if_real})")); - mwexec("/bin/pkill -HUP -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid -a"); - } - conf_mount_ro(); + } + + /* This is needed if snort is run as snort user */ + mwexec('/bin/chmod 660 /var/log/snort/*', true); + + /* Soft-restart Snort process to resync logging */ + if (file_exists("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid")) { + log_error(gettext("[Snort] Restarting logging on {$value['descr']} ({$if_real})...")); + mwexec("/bin/pkill -HUP -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid -a"); } } + conf_mount_ro(); + log_error(gettext("[Snort] Automatic clean-up of Snort logs completed.")); } ?> -- cgit v1.2.3