Snort mailing list archives
RE: disable /var/log/snort logging
From: "Nick White" <nwhite () avidbio com>
Date: Thu, 8 May 2003 10:18:36 -0700
Whenever I use -N and change my output line in snort.conf to alert, it creates /var/log/snort/alert and continues to write alerts there. (without packet information). If possible, I'd like snort to _only_ log alerts (with packet information) to mysql. Another user suggested simply deleting the disk logs, but even then, there is a lot of unnecessary overhead. Basically what I'm trying to accomplish is this: 1. Log to mysql with full packet information for alerts. (done) 2. Not have snort write a lot of redundant data to the disk that already exists in mysql. Thanks for your kind suggestions. Any further ideas? NW -----Original Message----- From: Bamm Visscher [mailto:bamm () satx rr com] Sent: Thursday, May 08, 2003 5:57 AM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] disable /var/log/snort logging Attach the database plugin to the 'alert' facility vice the 'log' facility when using -N. For example, output database: alert, postgresql, user=snort dbname=snort vs. output database: log, postgresql, user=snort dbname=snort Bammkkkk On Wed, May 07, 2003 at 04:48:13PM -0700, Nick White wrote:
You're right, the -N option turns off packet logging. Sure it doesn't write to the disk, but it turns off packet logging within mysql as
well
- not cool. Surely there is a way to have snort log everything to
mysql
(even packet logging), without dumping data to the hard drive. I just can't figure out how. I'm starting snort with -b (binary logging) option, which takes care of it crashing after a few minutes under a really heavy load. Even still, logging to the disk is a total waste because I'll never do anything with the binary logs.
------------------------------------------------------- Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara The only event dedicated to issues related to Linux enterprise solutions www.enterpriselinuxforum.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara The only event dedicated to issues related to Linux enterprise solutions www.enterpriselinuxforum.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- disable /var/log/snort logging Nick White (May 06)
- Re: disable /var/log/snort logging Anderson Johnston (May 06)
- <Possible follow-ups>
- RE: disable /var/log/snort logging Nick White (May 07)
- Re: disable /var/log/snort logging Bamm Visscher (May 08)
- RE: disable /var/log/snort logging Joesph Bowling (May 07)
- RE: disable /var/log/snort logging L. Christopher Luther (May 07)
- RE: disable /var/log/snort logging Nick White (May 08)
- RE: disable /var/log/snort logging Nick White (May 08)
- Re: disable /var/log/snort logging Bamm Visscher (May 08)
- RE: disable /var/log/snort logging L. Christopher Luther (May 08)
- RE: disable /var/log/snort logging L. Christopher Luther (May 08)
- RE: disable /var/log/snort logging Nick White (May 08)