Michael, et al.,
Where is the “official” IPFire location for a conf file? I find some in:
/usr/share/<process>/<process.conf>
or
/etc/<process>/<process.conf>
or
/var/ipfire/<process>/<process.conf>
Michael, et al.,
Where is the “official” IPFire location for a conf file? I find some in:
/usr/share/<process>/<process.conf>
or
/etc/<process>/<process.conf>
or
/var/ipfire/<process>/<process.conf>
I think the second option is the UNIX/Linux style.
I should have been more specific. I am looking for the official IPFire location for .conf
files.
Well, it depends.
Configuration files should normally be in /etc
or /etc/<program name>
. The web user interface stores stuff in /var/ipfire
and some exceptions were also made there.
What are you building?
Just updating the wiki…
In the swatch wiki there is a configuration file at /var/ipfire/snort/swatchrc
which didn’t seem correct. The default configuration is ${HOME}/.swatchdogrc
but that didn’t seem correct for IPFire.
So I was looking for the official location.
Hi @jon,
Since you can run multiple instances of swatch with each watching different files, I created a directory:
/etc/swatchrc
And then created a subdirctory for each thing monitored. Since I’m only using it to monitor Suricata’s fast.log currently, I created a subdirctory:
/etc/swatchrc/suricata
containing an instance of swatch.conf
/etc/swatchrc/suricata/swatch.conf
If I want to run swatch monitoring some other file, I can simply add another subdirctory and the corresponding new swatch.conf instance.
Seemed reasonable to my simple caveman brain
[Edit]: I suppose it would be just as well to create meaningful named *.conf files for each thing monitored rather than using a subdirectory for each.
I am almost positive you can put all of the configuration in one file and just run one daemon. (I have not tried this yet)
I did some web searches looking for examples of swatch watching multiple files but didn’t find any.
After playing around a bit – doing backup, reinstall, and restores – I like having my swatch.conf for Suricata’s fast.log saved in /var/ipfire/suricata. That way my swatch.conf gets restored along with other settings. When I had the swatch.conf under /etc/… , it did not get restored.
FYI - What you have done is a fine and no need to change. If you are interested here is an example:
This one watches three files:
/usr/local/bin/swatch -c /server/swatch.conf --daemon \
-t "/var/log/secure /var/log/php.log /server/log/nginx/error.log" \
&