Snort mailing list archives
Asking Snort to do too much?
From: "Lance Lloyd" <lance.lloyd () atlasdmt com>
Date: Thu, 21 Aug 2003 12:32:42 -0700
So here's my dilemma. I want Snort to log to a total of 3 places, a Mysql DB, and two different syslogs. I want all alerts to be sent to the DB and one of the logs. I have a custom ruletype that I would like to log to the 2nd syslog. The problem I am having is that all alerts are being sent to both syslogs. I've tried using different facilities and different priorities for them, but it still wants to send to both. Below are the configuration options I'm using. Here's the relevant part of my conf file: output alert_syslog: LOG_LOCAL5 LOG_ALERT output database: log, mysql, user=snort dbname=snort2 host=10.17.0.41 sensor_name=OutsideCorpFirewall ruletype sev1 { type alert output alert_syslog: LOG_LOCAL5 LOG_CRIT output database: log, mysql, user=snort dbname=snort host=10.17.0.41 sensor_name=OutsideCorpFirewall output database: log, mysql, user=snort dbname=snort2 host=10.17.0.41 sensor_name=OutsideCorpFirewall } And the relevant part of my syslog.conf #Snort #local5.* /var/log/snort local5.alert @10.17.0.41 local5.crit @10.17.9.18 Can't think of anything I haven't tried. Thanks in advance. Lance ------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Asking Snort to do too much? Lance Lloyd (Aug 22)
- <Possible follow-ups>
- FW: Asking Snort to do too much? Lance Lloyd (Aug 22)
- Re: FW: Asking Snort to do too much? Erek Adams (Aug 26)
- RE: FW: Asking Snort to do too much? Lance Lloyd (Aug 28)