We use Daemonlogger as a pcap logger of choice with the Sguil implementation with the securixlive NSMnow projects management scripts. The NSMnow scripts were stopping and restarting the packet capturing every 15 minutes, which causes a great deal of problems when you are trying to investigate and you are missing portions of TCP streams. So we swapped out to using Daemonlogger and would have it stop and start every night after creating sub directories for each day in YYYY-MM-DD format. This patch I wrote stops that from needing to happen. You can download the patch here.
--- daemonlogger-1.2.1/daemonlogger.c 2008-11-24 14:56:48.000000000 -0500
+++ daemonlogger-1.2.1-datedir/daemonlogger.c 2009-09-29 02:02:39.000000000 -0400
@@ -230,6 +230,9 @@
static char *chroot_dir;
static char logdir[STDBUF];
static char testpath[STDBUF];
+static char pathdatedir[STDBUF];
+char datedir[11] = {0};
+char datedir_cur[11] = {0};
static size_t rollsize;
static time_t lastroll;
@@ -411,27 +414,53 @@
return SUCCESS;
}
+void datedirfunc()
+{
+ struct tm *current;
+ time_t now;
+
+ time(&now);
+ current = localtime(&now);
+
+ snprintf(datedir_cur, 11, "%04d-%02d-%02d", (current->tm_year + 1900),
+ (current->tm_mon + 1), current->tm_mday);
+}
+
char *get_filename()
{
time_t currtime;
memset(logdir, 0, STDBUF);
currtime = time(NULL);
+ datedirfunc();
if(logpath != NULL)
{
- if(snprintf(logdir,
+ if(strcmp(datedir, datedir_cur) != 0)
+ {
+ strncpy(datedir, datedir_cur, 11);
+ snprintf(pathdatedir, STDBUF, "%s/%s", logpath, datedir);
+ mkdir(pathdatedir, S_IRWXU | S_IRWXG);
+ }
+ if(snprintf(logdir,
STDBUF,
- "%s/%s.%lu",
+ "%s/%s/%s.%lu",
logpath,
+ datedir,
logfilename,
(long unsigned int) currtime) < 0)
return NULL;
}
else
{
+ if(strcmp(datedir, datedir_cur) != 0)
+ {
+ strncpy(datedir, datedir_cur, 11);
+ mkdir(datedir, S_IRWXU | S_IRWXG);
+ }
if(snprintf(logdir,
STDBUF,
- "%s.%lu",
+ "%s/%s.%lu",
+ datedir,
logfilename,
(long unsigned int) currtime) < 0)
return NULL;
There is still some functionality left to be desired. I plan to update Daemonlogger more so that it reindexes existing files in the dated subdirectories when it starts up and this way it can continue to autoprune the oldest existing file within the logging directory instead of just the files created during the latest time the program was run.