Re: Snort isn't logging to snort.log but is to snort.alert

[ccie 6862 <ccie6862 () yahoo com>]

Thanks for the tip - I've made the changes.

Also, I found why the snort.log wasn't being used. The snort.conf file had the following:

output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.unified, limit 128

I have no idea how the snort.log was being created, as it was no where in the configuration file; however snort.unified 
has always been used in addition to the snort.alert and (until recently) snort.log.

Everything is back to normal.

--- On Sun, 4/25/10, Joel Esler <jesler () sourcefire com> wrote:

> From: Joel Esler <jesler () sourcefire com>
> Subject: Re: [Snort-users] Snort isn't logging to snort.log but is to snort.alert
> To: "ccie 6862" <ccie6862 () yahoo com>
> Cc: "Snort-users () lists sourceforge net" <Snort-users () lists sourceforge net>
> Date: Sunday, April 25, 2010, 2:05 PM
> You should not output from snort
> using thr output database line. You should output using
> output unified and then use barnyard to read the unifies
> file an output to database.
>
> --
> Joel Esler
> Sent from my iPhone
>
> On Apr 25, 2010, at 2:30 PM, ccie 6862 <ccie6862 () yahoo com>
> wrote:
>
> > Last night I upgraded snort from 2.8.4 to 2.8.5.3. In
> the process of going over everything, I noticed that I had
> never uncommented the "output database" line. I added a line
> to the "preprocessor frag3_engine" to eliminate some noisy
> alerts and a couple lines to threshold.conf.
> > Up to this point, snort was logging OK. Now, snort
> only is logging to the snort.alert.### file but not the
> snort.log.### file. I don't see any problems in the
> /var/log/messages file, and I'm not really sure how to
> figure out what's wrong.
> > I'd be very grateful if anyone can point me in the
> right direction.
> > I have another question about barnyard, which is also
> installed. Does the "output database" have to be uncommented
> in the snort configuration given I'm running barnyard? From
> reading the documentation, I believe barnyard is duplicating
> entering the data into mysql; however, I configured this
> based on some how-to's for installing snort and barnyard.
> > Thank you.
> ------------------------------------------------------------------------------
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users


      

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users