Hi All, Does anyone have experience using Snare in Linux? I believe by default the snare.conf file is set up so Snare writes the events log data to an output file call "Snare-Audit-Log". At least this is what's in my snare.conf file. However, there's no directory patch associate with "Snare-Audit-Log", and I couldn't seem to find this file in the computer. Does anyone know where "Snare-Audit-Log" is located? It's extremely important that I find this file. Thanks in advance for you help!

Hi there! I found it, it's in "/" (don't know why File Search didn't find it before).

However, the file only contains events for the last couple of days? I don't see any parameter in the Snare configuration file that limits the event log file size, time, etc. Why does it only contain the events for a few days? What parameter needs to be changed in order to save the events indefinitely? Anyone?

The same applies to the system log files in my Linux. I'm only able to view the recent log info. Does anyone know what parameters I need to change in the operating system to save log data indefinitely? Thanks very much in advance!

[Edited by - faculaganymede on September 21, 2008 6:29:40 PM]

I didn't catch which distribution you were using, but most will include a utility to "rotate" your logs. If you look in /var/log and notice, for instance, messages, messages.0, and messages.1.gz (or something along those lines), that's likely what's happening. Try "man logrotate" and see if it pulls anything up.

Thanks very much, Null and Void. I'll look into logrotate some more and hopefully it'll help resolve some of the issues we've been having with log data.