Snort mailing list archives
RE: Fatal Error OpenLogFile
From: "Scott" <scottr () vdot net>
Date: Thu, 26 Jul 2001 00:12:00 -0400
Ok, I ran an strace and the line for mkdir is mkdir("/var/log/snort/xx.xxx.xxx.xx", 0775) = -1 EACCES (Permission denied) the function wanted the directory permissions set to 0775. Once I did that and verified the /var/log/snort was snort/snort the ip directory logs were created. The IP directory that was created has permissions of 0700 and the data file within the IP directory has permissions of 0600. I did change the /var/log/snort to 0755 and it still seems to work. Now that it logs for the owner/group of snort/snort, how do I get snort to startup as the owner/group snort? or should I let snort run as owner/group root? Thanks for all your help. Scotty
-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Erek Adams Sent: Wednesday, July 25, 2001 11:06 PM To: Scott Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] Fatal Error OpenLogFile On Wed, 25 Jul 2001, Scott wrote:I have tried to get snort to run as owner/group of snort, butit won't. I'musing snort 1.8 build 43. It will only run as root and onlywrite logs forroot/root. Any suggestions as to how I would go about makingsnort run andlog as owner/group snort?Short answer: Painfully.BTW here is how I'm starting snort daemon /usr/sbin/snort -u root -g root -s -d -D \ -i eth1 -l /var/log/snort -c /etc/snort/snort.conf touch /var/lock/subsys/snort I have tried changing the -u and -g to snort which is a groupin my groupsfiles and I've changed the /var/log/snort to owner/group of snort. When owner/group is snort and /var/log/snort is also group/ownersnort I stillget the OpenLogFile error.Longer Answer: I've been wrestling with this for a while. I've gotten it to work--sorta. I can start snort as snort and chroot it. But... if I HUP it, it dies. Anyway, it is possible, just not easy. I'm not sure what OS you're on, but many/most *nix boxes have some sort of trace utility. trace, strace, and truss are the ones I've used before. Start snort under a trace, just as you do normally. You should see what is causing the 'cant open...' message. You might want to send it to a file, so you can parse thru at your liesure. Good luck. ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Fatal Error OpenLogFile Chris Owen (Jul 25)
- RE: Fatal Error OpenLogFile Scott (Jul 25)
- Re: Fatal Error OpenLogFile J. C. Woods (Jul 25)
- RE: Fatal Error OpenLogFile Scott (Jul 25)
- RE: Fatal Error OpenLogFile Erek Adams (Jul 25)
- RE: Fatal Error OpenLogFile Scott (Jul 25)
- RE: Fatal Error OpenLogFile Scott (Jul 25)
- RE: Fatal Error OpenLogFile Erek Adams (Jul 26)
- Individual rule msg definitions Scott (Jul 26)
- Re: Individual rule msg definitions Dragos Ruiu (Jul 27)
- RE: Individual rule msg definitions Scott (Jul 27)
- Re: Individual rule msg definitions Chris Green (Jul 27)
- RE: Fatal Error OpenLogFile Scott (Jul 25)
- <Possible follow-ups>
- RE: Fatal Error OpenLogFile Klimarchuk John (Jul 25)