Snort mailing list archives
RE: Help with logging structure
From: "John Berkers" <berjo () ozemail com au>
Date: Wed, 8 Aug 2001 07:08:22 +1000
Gerardo, Firstly we need to know a few things in order to help you. Which version of Snort are you using. There's RPMs for both 1.7 and 1.8.1p. Secondly, how are you telling it where to log? Thirdly, what OS? If you use the -l /var/log/snort option all logging should go straight to that directory, creating the files alert and portscan.log. RedHat will by default log almost everything to /var/log/messages, but some other distributions, eg Mandrake, will split up the logging to a different structure. You need to look in /etc/syslog.conf where the auth.=alert messages are going. If all of auth is going into /var/log/auth.log then you should look there for your alerts. Hope that steers you in the right direction. Regards, John Berkers berjo () ozemail com au -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Gerardo Gregory Sent: Monday, 6 August 2001 23:00 To: snort-users () lists sourceforge net Subject: [Snort-users] Help with logging structure I am starting to play with snort, evaluate to see if it can play a role in our security structure. So bear with me if this seems repetitive. I installed the RPM package of snort, it created a directory in /etc/ called snort and dumped everything there, then in /var/log/ it also went and created a directory called snort, finally a file called portscan.log was dumped in / is this normal???? also how to I modify which file to send logs to, I have tried using some of the plug-ins but it seems not to work when I enter values such as /var/log/snort/portscan.log (attempting to move the portscan.log under /var/log/snort/ and away from /) example: running snort without any variables logs to /var/log/snort/alert if i start snort with a variable -s (it's supposed to go to syslog) it doesnt log anything anywhere.... /var/log/secure is empty, /var/log/messages only has ICMP echo / echo-reply [and I think that is the system logging does not snort ] any pointers, or help will be appreciated thanks, GG _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- the meaning with arrows in alerts? Pontus Joakimsson (Aug 06)
- Help with logging structure Gerardo Gregory (Aug 06)
- RE: Help with logging structure John Berkers (Aug 07)
- RE: the meaning with arrows in alerts? Jyri Hovila (Aug 06)
- Re: the meaning with arrows in alerts? Martin Roesch (Aug 06)
- Help with logging structure Gerardo Gregory (Aug 06)