When a snort log filename is saved as snort.log.########. What does the number at the end represent? Is it randomly generated or is it the epoch date?
I have tried googling the answer to this but can't seem to find the answer. Can someone point out what the answer to this question is? If you know a legimate source that points out the answer then that would be bonus. Thank you!
The snort.log.xxxxx pcap format log files generated by snort are named using the epoch time of the first packet stored in the log. This allows you to figure out which .log file a particular alert is in. It is not random.
You can find a canonical reference here, which states:
Note that by default, unified2 files have the create time (in Unix Epoch format) appended to each file when it is created.