![snort logo](/images/snort-logo.png)
Snort mailing list archives
RE: disable /var/log/snort logging
From: "L. Christopher Luther" <CLuther () Xybernaut com>
Date: Thu, 8 May 2003 15:43:47 -0400
Nick, I can "feel your pain" but as mentioned in a previous post [0], the command line alert/log options override the output plugins in snort.conf [1]. If the Snort docs are accurate, then specifying '-N' on the command line would override the 'output database: alert, mysql ...' option in snort.conf and you *would* end up with alerts being written to /var/log/snort/alert. I think the only way you're going to get the results you want (assuming that this is not a bug in Snort - shuuddeerr) is to specify both an alert facility *and* a log facility in snort.conf: output database: alert, mysql, user=snortusr password=fakepass dbname=snort host=localhost output log_null That is, you want *two* separate 'output ...' statements in snort.conf. The log facility, however, will be/should be directed to null. It's also worth mentioning again that you shouldn't run Snort in daemon mode until you make sure things are working. It is my experience that Snort console messages are lost in daemon mode, so the interactive mode will let you see messages Snort generates as it parses and process the command line and snort.conf options. - Christopher [0] http://marc.theaimsgroup.com/?l=snort-users&m=105236757819419&w=2 [1] http://www.snort.org/docs/writing_rules/chap1.html#tth_sEc1.4.1 -----Original Message----- From: Nick White [mailto:nwhite () avidbio com] Sent: Thursday, May 08, 2003 1:19 PM To: bamm () satx rr com; snort-users () lists sourceforge net Subject: RE: [Snort-users] disable /var/log/snort logging Whenever I use -N and change my output line in snort.conf to alert, it creates /var/log/snort/alert and continues to write alerts there. (without packet information). If possible, I'd like snort to _only_ log alerts (with packet information) to mysql. Another user suggested simply deleting the disk logs, but even then, there is a lot of unnecessary overhead. Basically what I'm trying to accomplish is this: 1. Log to mysql with full packet information for alerts. (done) 2. Not have snort write a lot of redundant data to the disk that already exists in mysql. Thanks for your kind suggestions. Any further ideas? NW -----Original Message----- From: Bamm Visscher [mailto:bamm () satx rr com] Sent: Thursday, May 08, 2003 5:57 AM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] disable /var/log/snort logging Attach the database plugin to the 'alert' facility vice the 'log' facility when using -N. For example, output database: alert, postgresql, user=snort dbname=snort vs. output database: log, postgresql, user=snort dbname=snort Bammkkkk On Wed, May 07, 2003 at 04:48:13PM -0700, Nick White wrote:
You're right, the -N option turns off packet logging. Sure it doesn't write to the disk, but it turns off packet logging within mysql as
well
- not cool. Surely there is a way to have snort log everything to
mysql
(even packet logging), without dumping data to the hard drive. I just can't figure out how. I'm starting snort with -b (binary logging) option, which takes care of it crashing after a few minutes under a really heavy load. Even still, logging to the disk is a total waste because I'll never do anything with the binary logs.
------------------------------------------------------- Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara The only event dedicated to issues related to Linux enterprise solutions www.enterpriselinuxforum.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara The only event dedicated to issues related to Linux enterprise solutions www.enterpriselinuxforum.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara The only event dedicated to issues related to Linux enterprise solutions www.enterpriselinuxforum.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- disable /var/log/snort logging Nick White (May 06)
- Re: disable /var/log/snort logging Anderson Johnston (May 06)
- <Possible follow-ups>
- RE: disable /var/log/snort logging Nick White (May 07)
- Re: disable /var/log/snort logging Bamm Visscher (May 08)
- RE: disable /var/log/snort logging Joesph Bowling (May 07)
- RE: disable /var/log/snort logging L. Christopher Luther (May 07)
- RE: disable /var/log/snort logging Nick White (May 08)
- RE: disable /var/log/snort logging Nick White (May 08)
- Re: disable /var/log/snort logging Bamm Visscher (May 08)
- RE: disable /var/log/snort logging L. Christopher Luther (May 08)
- RE: disable /var/log/snort logging L. Christopher Luther (May 08)
- RE: disable /var/log/snort logging Nick White (May 08)