next up previous contents
Next: Host Attribute Table Up: Output Modules Previous: Example   Contents


Log Limits

This section pertains to logs produced by alert_fast, alert_full, alert_csv, and log_tcpdump. unified and unified2 also may be given limits. Those limits are described in the respective sections.

When a configured limit is reached, the current log is closed and a new log is opened with a UNIX timestamp appended to the configured log name.

Limits are configured as follows:

    <limit> ::= <number>[(<gb>|<mb>|<kb>)]
    <gb> ::= 'G'|'g'
    <mb> ::= 'M'|'m'
    <kb> ::= 'K'|'k'

Rollover will occur at most once per second so if limit is too small for logging rate, limit will be exceeded. Rollover works correctly if snort is stopped/restarted.



Eugene Misnik 2013-05-08