Snort mailing list archives
Re: syslog output problem
From: Terry <td3201 () gmail com>
Date: Thu, 12 Mar 2009 13:04:35 -0500
It should work with what I have but I took it out so it now looks like this and it's still not working: *.info;mail.none;authpriv.none;cron.none /var/log/messages local0.* /var/log/foo.log foo.log is being created when I restart syslog with this config so I can assume that syslog is configured correctly as far as that particular line. On Thu, Mar 12, 2009 at 11:19 AM, Joel Esler <eslerj () gmail com> wrote:
It looks like you have local0.none in your /var/log/messages line. I can't remember, since it's been awhile since I've used the Syslog output module, but, does syslog.conf process all log lines and sends alerts to all files listed, or only the first one it comes across. J On Thu, Mar 12, 2009 at 11:57 AM, Terry <td3201 () gmail com> wrote:Thank you for your response. I modified the command line so those options are no longer in there: /usr/sbin/snort -d -D -i eth1 -s -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort I am still not seeing this in my foo.log as expected. Again, here is the output in snort.conf: output alert_syslog: LOG_LOCAL0 LOG_ALERT And my syslog.conf: *.info;mail.none;authpriv.none;cron.none;local0.none /var/log/messages authpriv.* /var/log/secure local0.* /var/log/foo.log I am seeing some stuff in /var/log/messages for some reason: Mar 12 10:57:03 XXXXXX snort[9072]: [1:882:6] WEB-CGI calendar access [Classification: Attempted Information Leak] [Priority: 2]: {TCP} XXXXXX:36759 -> XXXXX:80 On Thu, Mar 12, 2009 at 9:41 AM, Joel Esler <eslerj () gmail com> wrote:You are using -b and -A on the command line. Command line options override snort.conf options. J On Thu, Mar 12, 2009 at 9:58 AM, Terry <td3201 () gmail com> wrote:Hello, I can't seem to get syslog and snort working well together. Here's what I got: commands I've tried: /usr/sbin/snort -A fast -b -d -D -i eth1 -s -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort /usr/sbin/snort -b -d -D -i eth1 -s -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort snort.conf: output alert_syslog: LOG_LOCAL0 LOG_ALERT syslog.conf: local0.* /var/log/foo.log *.info;mail.none;authpriv.none;cron.none;local0.none /var/log/messages I see stuff going into /var/log/messages but that's it. What am I missing? ------------------------------------------------------------------------------ Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Joel Esler T: 302-223-5974 (-) Gtalk: jesler () sourcefire com [m]-- Joel Esler T: 302-223-5974 (-) Gtalk: jesler () sourcefire com [m]
------------------------------------------------------------------------------ Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- syslog output problem Terry (Mar 12)
- Re: syslog output problem Joel Esler (Mar 12)
- Re: syslog output problem Terry (Mar 12)
- Re: syslog output problem Joel Esler (Mar 12)
- Re: syslog output problem Terry (Mar 12)
- Re: syslog output problem Terry (Mar 12)
- Re: syslog output problem Joel Esler (Mar 12)