argus log rotation
Peter Van Epp
vanepp at sfu.ca
Fri Nov 29 16:05:28 EST 2002
Are you running 1.8.1 (rather than one of the 2.x releases)? On 2.x
the argusarchive script is what I use (1.8.1 which is still production here
does need a restart). On 2.x moving the log file causes argus to create a new
one without requiring a shutdown or losing data. I did bugger with argusarchive
to make the file name the start time of the data (so data for a day is in a
single directory rather than starting with 23:00 t0 24:00 of the day before).
Note that data file size about triples (at least here) on 2.x so you
need more disk space to deal with that.
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
>
> Silly question, considering I've been using argus for a couple years now -
> what is the best way to rotate the argus log file?
>
> I have seen the FAQ and the CERT blurb and that method does not work for
> me since argus does not open a new log file after the original is renamed
> as the article implies. Therefore I have to do a stop/start which is
> cumbersome and loses some data.
>
> For other things, like syslog or apache, it is just a signal which tells
> the app to reopen its log file(s). So you move them first, then send the
> signal and you're done with no data loss. Can we get argus to do this?
>
> This also ties in with the remote data collection thread since I will have
> the same problem with ra -S.
>
> --
> Chris Russel | Manager Information Security
> russel at yorku.ca | York University, Toronto, Canada
>
>
>
>
>
>
More information about the argus
mailing list