Snort mailing list archives
Re: FW: Asking Snort to do too much?
From: Erek Adams <erek () snort org>
Date: Mon, 25 Aug 2003 12:00:31 -0400 (EDT)
On Fri, 22 Aug 2003, Lance Lloyd wrote:
Question too vague?
No. I just thought someone else might chime in, since I was feeling lazy.
So here's my dilemma. I want Snort to log to a total of 3 places, a Mysql DB, and two different syslogs. I want all alerts to be sent to the DB and one of the logs. I have a custom ruletype that I would like to log to the 2nd syslog. The problem I am having is that all alerts are being sent to both syslogs. I've tried using different facilities and different priorities for them, but it still wants to send to both. Below are the configuration options I'm using. Here's the relevant part of my conf file: output alert_syslog: LOG_LOCAL5 LOG_ALERT output database: log, mysql, user=snort dbname=snort2 host=10.17.0.41 sensor_name=OutsideCorpFirewall ruletype sev1 { type alert output alert_syslog: LOG_LOCAL5 LOG_CRIT output database: log, mysql, user=snort dbname=snort host=10.17.0.41 sensor_name=OutsideCorpFirewall output database: log, mysql, user=snort dbname=snort2 host=10.17.0.41 sensor_name=OutsideCorpFirewall } And the relevant part of my syslog.conf #Snort #local5.* /var/log/snort local5.alert @10.17.0.41 local5.crit @10.17.9.18 Can't think of anything I haven't tried. Thanks in advance.
A couple of things. * Try running two instances of Snort. One with one config and the other with a second. Only one logs to the second db and second syslog. * For a test, try having both local5.alert and local5.crit log to a local file on the box. Check to make sure that the syslog can separate the two. Make sure that it doesn't have a wierd way of sending *.alert and above to one file. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Asking Snort to do too much? Lance Lloyd (Aug 22)
- <Possible follow-ups>
- FW: Asking Snort to do too much? Lance Lloyd (Aug 22)
- Re: FW: Asking Snort to do too much? Erek Adams (Aug 26)
- RE: FW: Asking Snort to do too much? Lance Lloyd (Aug 28)