This section pertains to logs produced by alert_fast, alert_full, alert_csv, and log_tcpdump. unified and unified2 also may be given limits. Those limits are described in the respective sections.
When a configured limit is reached, the current log is closed and a new log is opened with a UNIX timestamp appended to the configured log name.
Limits are configured as follows:
<limit> ::= <number>[(<gb>|<mb>|<kb>)]
<gb> ::= 'G'|'g'
<mb> ::= 'M'|'m'
<kb> ::= 'K'|'k'
Rollover will occur at most once per second so if limit is too small for logging rate, limit will be exceeded. Rollover works correctly if snort is stopped/restarted.