Snort mailing list archives
RE: disable /var/log/snort logging
From: "Nick White" <nwhite () avidbio com>
Date: Thu, 8 May 2003 13:45:50 -0700
That did it! Funny, the first time I tried output log_null on it's own line, snort wouldn't start... I must have done something wrong that first time. So I figured maybe you meant to put it on the same line, and snort started fine once I did that. I tried it again on it's own line, and snort started. Must be the gremlins. Anyway snort is logging to mysql beautifully, and no redundant disk logging. Many many thanks to LCL and those here on snort-users. NW -----Original Message----- From: L. Christopher Luther [mailto:CLuther () Xybernaut com] Sent: Thursday, May 08, 2003 10:27 AM To: Nick White Cc: Snort-Users (E-mail) Subject: RE: [Snort-users] disable /var/log/snort logging Nick, Sorry, I didn't it explain better -- let me try again. Try the following in snort.conf: output database: alert, mysql, user=snortusr password=fakepass dbname=snort host=localhost output log_null That is, you want *two* separate 'output ...' statements in snort.conf. This should send the Snort alert facility to MySQL and the log facility to NULL. If this doesn't work, then me thinks me smells a bug. ;) Also, you shouldn't run Snort in daemon mode until you make sure things are working. It is my experience that Snort console messages are lost in daemon mode, so the interactive mode will let you see messages Snort generates as it parses and process the command line and snort.conf options. - Christopher -----Original Message----- From: Nick White [mailto:nwhite () avidbio com] Sent: Thursday, May 08, 2003 12:11 PM To: snort-users () lists sourceforge net Subject: RE: [Snort-users] disable /var/log/snort logging Thanks LCL for your suggestions and documentation references. I now better understand how snort treats alerts verses logs. I've tried your suggestion with the following line in my snort.conf: output database: alert, mysql, log_null, user=snortusr password=fakepass dbname=snort host=localhost But it's still alerting to /var/log/snort. Whenever I use the -N option to start snort, it still alerts, but doesn't log any of the packet data. Snort is starting with -u snort -g snort -d -D -b -c /etc/snort/snort.conf. I've tried removing -b, but it still alerts to disk. Any other suggestions that I can try? Thanks again, NW -----Original Message----- From: L. Christopher Luther [mailto:CLuther () Xybernaut com] Sent: Wednesday, May 07, 2003 8:49 PM To: Nick White Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] disable /var/log/snort logging Nick, Snort uses two output facilities - one for alerts and one for logs [0] (a must read). Your snort.conf only specifies an output facility for the alerts, so I'm thinking that Snort therefore falls back to its 'default' logging facility (i.e., /var/log).
From what I've read and understand, you have two choices:
1) '-N' on the command line (yes, I know you said it didn't work) 2) In snort.conf, add a 'output log_null' after the 'output database: alert ...' Also: "Note that command line logging options override any output options specified in the configuration file. This allows debugging of configuration issues quickly via the command line." [1] This could be why specifying '-N' on the command line disables the output plugin for MySQL. Try the 'output log_null' in snort.conf and let us know what happens. HTH, Christopher [0] http://www.theadamsfamily.net/~erek/snort/logging_methods.txt [1] http://www.snort.org/docs/writing_rules/chap1.html#tth_sEc1.4.1 -----Original Message----- From: Nick White [mailto:nwhite () avidbio com] Sent: Wednesday, May 07, 2003 7:48 PM Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] disable /var/log/snort logging You're right, the -N option turns off packet logging. Sure it doesn't write to the disk, but it turns off packet logging within mysql as well - not cool. Surely there is a way to have snort log everything to mysql (even packet logging), without dumping data to the hard drive. I just can't figure out how. I'm starting snort with -b (binary logging) option, which takes care of it crashing after a few minutes under a really heavy load. Even still, logging to the disk is a total waste because I'll never do anything with the binary logs. -----Original Message----- From: Anderson Johnston [mailto:andy () umbc edu] Sent: Tuesday, May 06, 2003 3:36 PM To: Nick White Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] disable /var/log/snort logging The -N option should suppress logging (while allowing alerts). Caveats: 1. I don't know if it will stop logs to mysql, too. 2. The option doesn't seem to be working on my system (Solaris 8) under Snort 2.0. - Andy On Tue, 6 May 2003, Nick White wrote:
Hi All, I'm fairly new with snort, so go easy on me. I'm running snort and logging to mysql just fine. The problem is, it's also logging to /var/log/snort. I need to figure out how to disable this logging to disk. I've looked at all the switches, and I can't seem to figure it out. I tried -A none, but then it stopped alerting to mysql. I also tried -l /dev/null, but it didn't like that one. Snort starts as a service via: /usr/local/bin/snort -u snort -g snort -d -D -c /etc/snort/snort.conf In snort.conf, I log to mysql with: output database: alert, mysql, user=snortusr password=fakepass dbname=snort host=localhost I'm trying to kill snort with as much data as I can throw at it, and
it
always dies after a few minutes with: May 6 14:54:34 localhost snort: FATAL ERROR: OpenLogFile() => fopen(/var/log/snort/10.10.1.30/UDP:138-138) log file: Not a directory But I KNOW that the snort user has full permission to /var/log/snort. But I don't need logging to disk. It's a waste. I only want it to
log
to mysql. Thanks for your help! - nick white ------------------------------------------------------- Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara The only event dedicated to issues related to Linux enterprise
solutions
www.enterpriselinuxforum.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list
------------------------------------------------------------------------ ------ ** Andy Johnston (andy () umbc edu) * pager: 410-678-8949 ** ** Manager of IT Security * PGP key:(afj2002) 4096/8448B056 ** ** Office of Information Technology, UMBC * 4A B4 96 64 D9 B6 EF E3 21 9A ** ** 410-455-2583 (v)/410-455-1065 (f) * 46 1A 37 11 F5 6C 84 48 B0 56 ** ------------------------------------------------------------------------ ------ ------------------------------------------------------- Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara The only event dedicated to issues related to Linux enterprise solutions www.enterpriselinuxforum.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara The only event dedicated to issues related to Linux enterprise solutions www.enterpriselinuxforum.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara The only event dedicated to issues related to Linux enterprise solutions www.enterpriselinuxforum.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: disable /var/log/snort logging, (continued)
- Re: disable /var/log/snort logging Anderson Johnston (May 06)
- RE: disable /var/log/snort logging Nick White (May 07)
- Re: disable /var/log/snort logging Bamm Visscher (May 08)
- RE: disable /var/log/snort logging Joesph Bowling (May 07)
- RE: disable /var/log/snort logging L. Christopher Luther (May 07)
- RE: disable /var/log/snort logging Nick White (May 08)
- RE: disable /var/log/snort logging Nick White (May 08)
- Re: disable /var/log/snort logging Bamm Visscher (May 08)
- RE: disable /var/log/snort logging L. Christopher Luther (May 08)
- RE: disable /var/log/snort logging L. Christopher Luther (May 08)
- RE: disable /var/log/snort logging Nick White (May 08)