Snort mailing list archives
Re: Useful logging of performance statistics
From: "Crook, Parker" <Parker_Crook () reyrey com>
Date: Wed, 23 Jun 2010 08:45:33 -0400
Wally, Thanks for the reply -- I guess I should have been a little clearer in my original post: the definitions I list here are the custom definitions, I am still using the default logging facilities as well, ie: destination df_auth { file("/var/log/auth.log"); }; destination df_syslog { file("/var/log/syslog"); }; . . . ...along with the filters and logs. Snort_notice only contains logs from Snort; however it contains what seems to be all information from starting and stopping Snort, whereas I am looking for a way to log the rule & preproc performance stats to a separate file. I tried setting up a filter for syslog-ng, but the problem is that the information gets logged line by line, and threw off my plan of setting up a regex filter. My intent in asking this question would be: does anyone else have a mechanism to log this info in an easily accessible place? If not, is there a good way to accomplish it (I thought about a series of regex filters inside of syslog-ng, but after I started bashing out a 'solution' I stepped back and thought, 'those are some seriously ugly pcre's' and there has got to be a better way)? And of course, is anybody else using this form of logging for to acquire information on rule performance in their environment? I have found it terribly useful. -Parker -----Original Message----- From: Jason Wallace [mailto:jason.r.wallace () gmail com] Sent: Tuesday, June 22, 2010 7:01 PM To: Crook, Parker Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Useful logging of performance statistics If the goal is to only have snort logs in those files then I do not think what you have will work. That would result in log files with all info logs, including system logs, in snort_info, all warn logs in snort_warn...etc. You need to add something to to the filters to tell it them you want those levels but only for snort related logs. I'm not in front of my box right now but I think (from memory) you might be looking for the "match" statement...or "program" might work. Wally On Tue, Jun 22, 2010 at 5:05 PM, Crook, Parker <Parker_Crook () reyrey com> wrote:
Wally, Here's my sources: source s_all { # message generated by Syslog-NG internal(); # standard Linux log source (this is the default place for the syslog() # function to send logs to) unix-stream("/dev/log"); # messages from the kernel file("/proc/kmsg" log_prefix("kernel: ")); # use the following line if you want to receive remote UDP logging messages # (this is equivalent to the "-r" syslogd flag) # udp(); }; -Parker -----Original Message----- From: Jason Wallace [mailto:jason.r.wallace () gmail com] Sent: Tuesday, June 22, 2010 4:53 PM To: Crook, Parker Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Useful logging of performance statistics Out of curiosity what do you have for sources? Is s_all just snort logs? Wally On Tue, Jun 22, 2010 at 3:55 PM, Crook, Parker <Parker_Crook () reyrey com> wrote:Good afternoon all, I recently switched over to syslog-ng in my lab environment after living with the status-quo for way too long (On Debian, Snort logs to /var/log/syslog). After being lazy and scrolling the few hundred/thousand lines to get to the rules and preprocessor stats in my log files, I wanted a better way. Now that I am using syslog-ng, I have: #DESTINATION destination snort_info { file("/var/log/snort_info"); }; destination snort_warn { file("/var/log/snort_warn"); }; destination snort_notice { file("/var/log/snort_notice"); }; destination snort_crit { file("/var/log/snort_crit"); }; destination snort_err { file("/var/log/snort_err"); }; destination snort_emerg { file("/var/log/snort_emerg"); }; #FILTER filter f_snort_info { level(info); }; filter f_snort_notice { level(notice); }; filter f_snort_warn { level(warn); }; filter f_snort_crit { level(crit); }; filter f_snort_err { level(err); }; filter f_snort_emerg { level(emerg); }; #LOG log { source(s_all); filter(f_snort_info); destination(snort_info); }; log { source(s_all); filter(f_snort_notice); destination(snort_notice); }; log { source(s_all); filter(f_snort_warn); destination(snort_warn); }; log { source(s_all); filter(f_snort_crit); destination(snort_crit); }; log { source(s_all); filter(f_snort_err); destination(snort_err); }; log { source(s_all); filter(f_snort_emerg); destination(snort_emerg); }; And was kind of hoping for a nice breakup of logging; alas: 4 drwxr-xr-x 2 snort snort 4096 2010-06-22 15:04 snort 12 -rw-r----- 1 root adm 8465 2010-06-22 15:04 snort_err 452 -rw-r----- 1 root adm 455815 2010-06-22 15:17 snort_info 588 -rw-r----- 1 root adm 597570 2010-06-22 15:04 snort_notice 24 -rw-r----- 1 root adm 22932 2010-06-22 15:04 snort_warn So I found the Preprocessor Profile Statistics & Rule Profile Statistics in snort_notice, but I still have to rummage through a bunch of cruft just to get what I am looking for. So my question is: Is there a better way? I want to log my rule profile & preprocessor profile statistics to a log unto themselves for easy(ier) historical comparison. Thanks, Parker ------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Useful logging of performance statistics Crook, Parker (Jun 22)
- Re: Useful logging of performance statistics Jason Wallace (Jun 22)
- Re: Useful logging of performance statistics Crook, Parker (Jun 22)
- Re: Useful logging of performance statistics Jason Wallace (Jun 22)
- Re: Useful logging of performance statistics Crook, Parker (Jun 23)
- Re: Useful logging of performance statistics Crook, Parker (Jun 24)
- Re: Useful logging of performance statistics Crook, Parker (Jun 22)
- Re: Useful logging of performance statistics Jason Wallace (Jun 22)