Snort mailing list archives

RE: output alert_syslog

From: Steve Halligan <giermo () geeksquad com>
Date: Tue, 14 Jan 2003 13:40:00 -0600

You need to add a local5.none to the messages line in
syslog.conf

...I think...

Hi,

I've configured snort 1.9.0 to use syslog and edited 
syslog.conf so it logs
local5.alert to /var/log/snort.alert but it's logging to

that file AND

/var/log/messages. I'd like to log to snort.alert only.

Here is the relevant information:

snort.conf:

[...]
output alert_syslog: LOG_LOCAL5 LOG_ALERT
output log_unified: filename snort.log, limit 128
[...]


syslog.conf:

*.err;*.notice;kern.debug;lpr.info;mail.crit;news.err   
/var/log/messages
security.*

/var/log/security

auth.notice;auth.info;authpriv.info

/var/log/auth.log

mail.info

/var/log/maillog

cron.*

/var/log/cron

*.emerg                                         *
local5.alert

/var/log/snort.alert

console.info

/var/log/console.log



# ls -l /var/log/snort.alert
-rw-r--r--  1 root  wheel  2015 Jan 14 16:45 snort.alert

# ls -l /var/log/snort/
-rw-r--r--  1 snort  snort  489509 Jan 14 16:54 scan.log
-rw-r--r--  1 snort  snort    1119 Jan 14 16:45

snort.alert

-rw-r--r--  1 snort  snort     452 Jan 14 12:56

snort.log.1042555093

-rw-r--r--  1 snort  snort     514 Jan 14 12:58

snort.log.1042556289

-rw-r--r--  1 snort  snort      24 Jan 14 16:40

snort.log.1042569610


I'm running snort with this command line:

 /usr/local/bin/snort -D -c /usr/local/etc/snort.conf -i

fxp0

-p -z -u snort \
 -g snort -m 022

Thanks in advance (and sorry if it is obvious),

--
Giovanni P. Tirloni
gpt () tirloni org


-------------------------------------------------------
This SF.NET email is sponsored by: Take your first step

towards giving

your online business a competitive advantage. Test-drive a

Thawte SSL

certificate - our easy online guide will show you how.

Click

here to get 
started:

http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0027en

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.NET email is sponsored by: Take your first step towards giving 
your online business a competitive advantage. Test-drive a Thawte SSL 
certificate - our easy online guide will show you how. Click here to get 
started: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0027en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

output alert_syslog Giovanni P. Tirloni (Jan 14)
- Re: output alert_syslog Matt Kettler (Jan 14)
- <Possible follow-ups>
- RE: output alert_syslog Steve Halligan (Jan 14)