#!/usr/local/bin/bash
#
# snort setup-logging script
#
# !!!IMPORTANT  -- README!!!!
# FreeBSD Centric!
# probably works on linux with /etc/logrotate.d support
# anything else, and you have to edit things by hand.
#
#
# Zoidial, Inc.
# Eric Thern	eric@zoidial.com
# March 2002
#
# November, 2002 - added the 'touch' to logs to create snort.log
#

###
### make sure there is no existing snort.log entry in newsyslog, then add one.
### and
### make sure there is no existing snort.log entry in syslog.conf, then add one.
###

if [ -f /etc/newsyslog.conf ]; then
	sed -e "/snort/d" /etc/syslog.conf > /etc/syslog.rplzz
	cat /etc/syslog.rplzz > /etc/syslog.conf && rm /etc/syslog.rplzz
	echo "!snort" >> /etc/syslog.conf
	echo "*.*                                       /var/log/snort.log" >> /etc/syslog.conf
	sed -e "/snort.log/d" /etc/newsyslog.conf > /etc/newsyslog.rplzz
	cat /etc/newsyslog.rplzz > /etc/newsyslog.conf && rm /etc/newsyslog.rplzz
	echo "/var/log/snort.log      root.wheel              600  10    22300 *    Z" >> /etc/newsyslog.conf
	else
	if [ -d /etc/logrotate.d ]; then
	sed -e "/snort/d" /etc/syslog.conf > /etc/syslog.rplzz
	cat /etc/syslog.rplzz > /etc/syslog.conf && rm /etc/syslog.rplzz
	echo "local6.*                                       /var/log/snort.log" >> /etc/syslog.conf
	cat > /etc/logrotate.d/snort << EOF
/var/log/snort.log {
    missingok
    sharedscripts
    postrotate
        /bin/kill -HUP `cat /var/run/snort.pid 2>/dev/null` 2> /dev/null || true
    endscript
}
EOF
	else
	echo "Host System not determined for syslog-file turnover, make sure you edit this yourself!"
	fi
fi

###
### restart syslogd
###

if [ -f /var/run/syslog.pid ]; then
	kill -HUP `cat /var/run/syslog.pid`
	echo "restarted syslogd on FreeBSD"
	else
		if [ -f /var/run/syslogd.pid ]; then
		kill -HUP `cat /var/run/syslogd.pid`
		echo "restarted syslogd on Linux"
		else
		echo "syslogd could not be restarted manually -- please restart syslogd"
		fi
fi


###
### touch /var/log/snort.log
###

touch /var/log/snort.log

echo "

added the following to /etc/syslog.conf  (for linux)

local6.*                                        /var/log/snort.log


added the following to /etc/syslog.conf  (for FreeBSD)

!snort
*.*                                        /var/log/snort.log

FREEBSD ===
added the following to /etc/newsyslog.conf

/var/log/snort.log      root.wheel              600  10    22300 *    Z


LINUX ===
added the following entry in /etc/logrotate.d/snort

/var/log/snort.log {
    missingok
    sharedscripts
    postrotate
	/bin/kill -HUP `cat /var/run/snort.pid 2>/dev/null` 2> /dev/null || true
    endscript
}


If you got an error message, this means the script couldn't figure it out, and you should edit this yourself!

Make sure you check your files and that syslogd gets restarted!
"