Snort mailing list archives
Re: Can't put log message to the special directory
From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 28 Sep 2004 11:49:12 -0400
I think you are missing one minor concept of Snort. Snort has alerts, and logs. Both. Alerts contain rule matches, logs contain packet captures.
Using your "output alert_fast: /home/snort/fst.log" you've set where your ALERTS go, but not where your logs go.
The -l command line specifies where both go. And the default format for logs is ip-hierarchy. However, this is IN ADDITION to the alert file.
Might i suggest switching to tcpdump binary logging or unified logging for your packet captures:
output alert_fast: /home/snort/fst.log
output log_tcpdump: /home/snort/tcpdump.log
This will give you two files, one with your fast mode alerts, and one
fast-written binary log of packets that you can later read with tcpdump -r.
At 10:06 PM 9/27/2004, Peixiao Guo wrote:
output alert_fast: /home/snort/fst.log log tcp any any -> any 80 (flags:S;)I just want to put the alert_fast message to the file /home/snort/fst.log, but I will get an error if I run this command:snort c snort.conf d the err messages as below: Running in IDS mode Log directory = /var/log/snort ERROR: [!] ERROR: Can not get write access to logging directory "/var/log/snort". (directory doesn't exist or permissions are set incorrectly or it is not a directory at all) Fatal Error, Quitting.. When I run this command: snort c snort.conf dl /home/snort/then all output message will be recorded in IP hierarchy in /home/snort directory.I m wandering how to log the output message to a /home/snort/fst.log file Can any senior one give me a directive? Thanks very very much!
------------------------------------------------------- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Can't put log message to the special directory Peixiao Guo (Sep 27)
- Re: Can't put log message to the special directory Matt Kettler (Sep 28)