Snort Logs: log recording on a different drive

JonathanLee

Hello fellow Netgate community members,

Can you please help? Is there a way to change where snorts logs are recorded to? I would love to have them be recorded to my secondary NVMe drive, I can’t seem to find the setting to change its default log location.

bmeeks

No, there is currently no method for moving the path of Snort logs. They are going into /var/log/snort and subdirectories automatically created underneath there.

You could try creating a symlink at /var/log/snort that points to some other location, but I believe you will be limited to a location residing on the same device (disk).

There was once a feature request for this ability, but it has not been worked on. While its not impossible to make the required changes, it does mean touching quite a lot of PHP code and introduces a big chance of new bugs if a reference to the current /var/log/snort path is missed.

JonathanLee

@bmeeks

Thank you the symbolic link did just what I needed, great idea

ln -s -F /mnt/LOGS_Optane/snort /var/log/snort

This did the trick with the mount point I had to delete the old directory first /var/log/snort and recreate it after because at first it would say it is not empty

Updated my unofficial guide if anyone else wants to try this

https://forum.netgate.com/topic/195843/unofficial-guide-have-package-logs-record-to-a-secondary-ssd-drive-snort-syslog-squid-and-or-squid-cache-system