RE: Fatal Error OpenLogFile

["Scott" <scottr () vdot net>]

Ok, I ran an strace and the line for mkdir is
mkdir("/var/log/snort/xx.xxx.xxx.xx", 0775) = -1 EACCES (Permission denied)
the function wanted the directory permissions set to 0775.  Once I did that
and verified the /var/log/snort was snort/snort the ip directory logs were
created. The IP directory that was created has permissions of 0700 and the
data file within the IP directory has permissions of 0600. I did change the
/var/log/snort to 0755 and it still seems to work.

Now that it logs for the owner/group of snort/snort, how do I get snort to
startup as the owner/group snort? or should I let snort run as owner/group
root?

Thanks for all your help.

Scotty




> -----Original Message-----
> From: snort-users-admin () lists sourceforge net
> [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Erek Adams
> Sent: Wednesday, July 25, 2001 11:06 PM
> To: Scott
> Cc: snort-users () lists sourceforge net
> Subject: RE: [Snort-users] Fatal Error OpenLogFile
>
>
> On Wed, 25 Jul 2001, Scott wrote:
>
> > I have tried to get snort to run as owner/group of snort, but
> it won't.  I'm
> > using snort 1.8 build 43.  It will only run as root and only
> write logs for
> > root/root.  Any suggestions as to how I would go about making
> snort run and
> > log as owner/group snort?
>
> Short answer:  Painfully.
>
> > BTW here is how I'm starting snort
> >
> >  daemon /usr/sbin/snort -u root -g root -s -d -D \
> >                 -i eth1 -l /var/log/snort -c /etc/snort/snort.conf
> >         touch /var/lock/subsys/snort
> >
> > I have tried changing the -u and -g to snort which is a group
> in my groups
> > files and I've changed the /var/log/snort to owner/group of snort.  When
> > owner/group is snort and /var/log/snort is also group/owner
> snort I still
> > get the OpenLogFile error.
>
> Longer Answer:  I've been wrestling with this for a while.  I've
> gotten it to
> work--sorta.  I can start snort as snort and chroot it.  But...
> if I HUP it,
> it dies.  Anyway, it is possible, just not easy.
>
> I'm not sure what OS you're on, but many/most *nix boxes have some sort of
> trace utility.  trace, strace, and truss are the ones I've used
> before.  Start
> snort under a trace, just as you do normally.  You should see
> what is causing
> the 'cant open...' message.  You might want to send it to a file,
> so you can
> parse thru at your liesure.
>
> Good luck.
>
> -----
> Erek Adams
> Nifty-Type-Guy
> TheAdamsFamily.Net
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users