Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Problems logging to syslog and mysqlsimultaneously

From: "Don" <Don () WeberOnTheWeb com>
Date: Sat, 22 Jun 2002 23:04:43 -0700
your special, of course. you must have a special version of windows
i darn sure cant do it, but i may try the hack from Frank

Don



-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Michael
Steele
Sent: Friday, June 21, 2002 9:36 PM
To: 'Frank Knobbe'; snort-users () lists sourceforge net
Cc: Chris Reid
Subject: RE: [Snort-users] Problems logging to syslog and
mysqlsimultaneously


Frank,

I'm running Windows and I am logging to local syslog using Snort.conf,
I'm not using the -s switch. I'm also logging to MySQL.

I'm going to forward this to Chris Ried and see what he has to say about
this. This may be useful, but why am I able to log to the local syslog
using snort.conf and others are having problems?

Michael Steele | System Engineer / System Administrator     
mailto:michaels () silicondefense com
http://www.silicondefense.com

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Frank
Knobbe
Sent: June 21, 2002 8:48 PM
To: Michael Steele
Cc: 'Don'; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Problems logging to syslog and
mysqlsimultaneously

On Wed, 2002-06-19 at 19:38, Michael Steele wrote:

Don,

Hummm... This is bizarre... I have 37k alerts in my Syslog, so I know

it

works. Are you sure you don't have some service turned off that is
preventing the alerts from arriving? 

What version of Snort?

Do you have alerts in the syslog?

Can you send me your snort.conf?



Not at all bizarre. I think this affects only the Windows version.
Here's why. The syslog config in snort.conf is useless under Windows
machines since it does not specify an IP address of a syslog server.
Windows not have a native syslog thingy, so without specifying an IP
address, Snort doesn't log. Again, only under Windows. Under *nix, the
syslog config in snort.conf works fine.

If you specify a syslog server with -s in the command line, you enable
Snort-win32 to log to syslog. However, the command line option overrides
the snort.conf, so other outputs don't work.

The solution is to hack the code. You can have Snort accept the -s
option, and at the same time still use snort.conf outputs. So after the
hack, you can log to syslog and *SQL.

In snort.c, withing ParseCmdLine, you'll find:

#ifdef WIN32
           case 'E':                /* log alerts to Event Log */
               pv.syslog_flag = 1;
               pv.syslog_remote_flag = 0;
               DebugMessage(DEBUG_INIT, "Logging alerts to Event
Log\n");
               pv.alert_cmd_override = 1;
               break;
#endif

Just remove the >pv.alert_cmd_override = 1;< and you can specify -s
without overriding the snort.conf.

Regards,
Frank






-------------------------------------------------------
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: