Snort mailing list archives
Re: Useful logging of performance statistics
From: Jason Wallace <jason.r.wallace () gmail com>
Date: Tue, 22 Jun 2010 16:53:20 -0400
Out of curiosity what do you have for sources? Is s_all just snort logs? Wally On Tue, Jun 22, 2010 at 3:55 PM, Crook, Parker <Parker_Crook () reyrey com> wrote:
Good afternoon all, I recently switched over to syslog-ng in my lab environment after living with the status-quo for way too long (On Debian, Snort logs to /var/log/syslog). After being lazy and scrolling the few hundred/thousand lines to get to the rules and preprocessor stats in my log files, I wanted a better way. Now that I am using syslog-ng, I have: #DESTINATION destination snort_info { file("/var/log/snort_info"); }; destination snort_warn { file("/var/log/snort_warn"); }; destination snort_notice { file("/var/log/snort_notice"); }; destination snort_crit { file("/var/log/snort_crit"); }; destination snort_err { file("/var/log/snort_err"); }; destination snort_emerg { file("/var/log/snort_emerg"); }; #FILTER filter f_snort_info { level(info); }; filter f_snort_notice { level(notice); }; filter f_snort_warn { level(warn); }; filter f_snort_crit { level(crit); }; filter f_snort_err { level(err); }; filter f_snort_emerg { level(emerg); }; #LOG log { source(s_all); filter(f_snort_info); destination(snort_info); }; log { source(s_all); filter(f_snort_notice); destination(snort_notice); }; log { source(s_all); filter(f_snort_warn); destination(snort_warn); }; log { source(s_all); filter(f_snort_crit); destination(snort_crit); }; log { source(s_all); filter(f_snort_err); destination(snort_err); }; log { source(s_all); filter(f_snort_emerg); destination(snort_emerg); }; And was kind of hoping for a nice breakup of logging; alas: 4 drwxr-xr-x 2 snort snort 4096 2010-06-22 15:04 snort 12 -rw-r----- 1 root adm 8465 2010-06-22 15:04 snort_err 452 -rw-r----- 1 root adm 455815 2010-06-22 15:17 snort_info 588 -rw-r----- 1 root adm 597570 2010-06-22 15:04 snort_notice 24 -rw-r----- 1 root adm 22932 2010-06-22 15:04 snort_warn So I found the Preprocessor Profile Statistics & Rule Profile Statistics in snort_notice, but I still have to rummage through a bunch of cruft just to get what I am looking for. So my question is: Is there a better way? I want to log my rule profile & preprocessor profile statistics to a log unto themselves for easy(ier) historical comparison. Thanks, Parker ------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Useful logging of performance statistics Crook, Parker (Jun 22)
- Re: Useful logging of performance statistics Jason Wallace (Jun 22)
- Re: Useful logging of performance statistics Crook, Parker (Jun 22)
- Re: Useful logging of performance statistics Jason Wallace (Jun 22)
- Re: Useful logging of performance statistics Crook, Parker (Jun 23)
- Re: Useful logging of performance statistics Crook, Parker (Jun 24)
- Re: Useful logging of performance statistics Crook, Parker (Jun 22)
- Re: Useful logging of performance statistics Jason Wallace (Jun 22)