

Create a sancp configuration file with appropriate settings 
(This is not required, but useful)

># vi /etc/sancp/sancp.conf
	# define some tcp ports for which we may sometimes log reversed connections # i.e. dropped packets?
	known_ports tcp 25,80

# See: contrib/example.sancp.conf for another config file example


Create a base directory for storing sancp data

># mkdir /var/log/sancp/`date +"%Y-%m-%d"`


Create a directory for storing today's data 
(YYYY-MM-DD format preferred, should be standardized)

># mkdir /var/log/sancp/`date +"%Y-%m-%d"`


Create a link to today's data directory which sancp will you

># ln -s /var/log/sancp/`date +"%Y-%m-%d"` /var/log/sancp/today


Start sancp (use -D for daemon mode)

># sancp -c /etc/sancp -d /var/log/sancp/today -i eth0  


Create a cron job, scheduled every hour, to create and re-link a dated directory for that day's data if not present and to send a 'kill -HUP' signal to sancp on the hour which tells it to re-read the configuration/rules file and to open new output files for new activity.

* * * * * /etc/init.d/sancpd hup

see: etc/init.d/sancpd
see: etc/sancp/sancp.conf


