tag 862185 wontfix moreinfo thanks Dear Matthew,
On Tue, 9 May 2017 at 17:06, Mattthew Gabeler-Lee <chee...@fastcat.org> wrote: > The default (and recommended even by UPSTREAM) configuration for snort > logging has the "nostamp" flag on the logging configurations. > The default configuration in Debian already uses nostamp as you can see in the /etc/snort/snort.conf configuration file: output unified2: filename snort.log, limit 128, nostamp, mpls_event_types, vlan_event_types output alert_unified2: filename snort.alert, limit 128, nostamp However, with this option on the log files are still truncated. The nostamp option is not very well documented nor in the manual nor in the README.unified2 document (available in the package and also here: https://www.snort.org/faq/readme-unified2). However, as you can see looking at the source code (more specifically in src/output-plugins/spo_unified2.c) this option actually seems to not include timestamps in the *names* of the logfiles created: 304 if (!config->nostamp) 305 { 306 if (SnortSnprintf(filepath, sizeof(filepath), "%s.%u", 307 config->filepath, config->timestamp) != SNORT_SNPRINTF_SUCCESS) 308 { 309 FatalError("%s(%d) Failed to copy unified2 file path.\n", 310 __FILE__, __LINE__); 311 } 312 313 fname_ptr = filepath; 314 } As far as I am aware there is no option to prevent truncation of the log files when (re)starting Snort. The only option would be to configure timestamp in the logfiles (so that new logfiles are created with a different filename), but enabling that would then break the snort-stat script as well as the logrotation mechanisms currently defined in the package. I'm setting this bug initially as wontfix and will consider it closing it in the future unless an option is provided. For example, the spo_unified2.c code could be modified to append to the desired file instead of overwriting it, but I feel this should be handled upstream. Of course, as a workaround, users can remove the 'nostamp' option from the configuration and adjust their logrotate setup to cater with files with timestamps. Best regards Javier
