[Snort-users] 2GB limit on alert log

Has anyone found a good procedure for getting past the 2GB
limit on snorts alert log?

Before anyone suggests this, the problem is not a
filesystem imposed limit. On the same fs, I have other
apps dumping 20-50GB files daily.

At 2GB, snort exits. If started in fg, it complains file
is too big.

I tried recompiling libpcap with -D_FILE_OFFSET_BITS=64
and -D_LARGEFILE_SOURCE but that did not seem to help.

I searched for articles pertaining to this but everyone I
have seen answer seems to think in the direction of fs
limitations.

My logs easily grow to this size within a week and minimal
logging enabled so I have to find a way around this and
putting in more sensors is not an option. I have several
heavily populated /17's behind this sensor and that is not
going to change.

I would prefer not to sighup and rename every week.
Keeping the data in one contiguous file is much prefered.

MySQL is not an option either. I kicked that beeotch to
the curb some time ago. Flat files, shell scripts and
snortalog are the only sensible way to go for me. : - )



-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users