Snort mailing list archives
Re: Snort and Syslog
From: Phil Daws <uxbod () splatnix net>
Date: Thu, 4 Apr 2013 19:46:32 +0100 (BST)
Darn, have to look at the code and see what its logging to. Thank you. ----- Original Message ----- From: "Doug Burks" <doug.burks () gmail com> To: "Phil Daws" <uxbod () splatnix net> Cc: snort-users () lists sourceforge net Sent: Thursday, 4 April, 2013 7:37:59 PM Subject: Re: [Snort-users] Snort and Syslog No, in my example $LOG is being passed to the process_start function (not snort itself). If I remember correctly, process_start starts the process *without* the -D (daemon) option, captures the process's stdout and stderr, and writes them to $LOG. Doug On Thu, Apr 4, 2013 at 2:20 PM, Phil Daws <uxbod () splatnix net> wrote:
Hello Doug, Very much appreciate the response. At the moment with a stock Snort install it starts with the command: /usr/sbin/snort -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort/eth0 so looking at your start script one just needs to append the logfile to the end ? Does that make sense ? ----- Original Message ----- From: "Doug Burks" <doug.burks () gmail com> To: "Phil Daws" <uxbod () splatnix net> Cc: snort-users () lists sourceforge net Sent: Thursday, 4 April, 2013 6:55:27 PM Subject: Re: [Snort-users] Snort and Syslog Hi Phil, In Security Onion, we start Snort using the NSMnow scripts which provide a function called process_start. This function starts the process and writes the log to a dedicated log file (not syslog). In the following code snippet, you can see that we're logging to $LOG, which ends up being /var/log/nsm/HOSTNAME-INTERFACE/snortu-1.log. # Start $IDS_LB_PROCS instances of Snort using pfring load-balancing for i in `seq 1 $IDS_LB_PROCS`; do PID=$PROCESS_PID_DIR/$SENSOR/snortu-$i.pid LOG=$PROCESS_LOG_DIR/$SENSOR/snortu-$i.log PERFMON=$SENSOR_LOG_DIR/snort-$i.stats UNI_DIR=$SENSOR_LOG_DIR/snort-$i mkdir -p $UNI_DIR chown $SENSOR_USER:$SENSOR_GROUP $UNI_DIR [ -z "$SKIP_SNORT_ALERT" ] && process_start "snort" "-c $SNORT_CONFIG -u $SENSOR_USER -g $SENSOR_GROUP -i $SENSOR_INTERFACE_SHORT -F /etc/nsm/$SENSOR/bpf-ids.conf -l $UNI_DIR --perfmon-file $PERFMON $SNORT_OPTIONS " "$PID" "$LOG" "snort-$i (alert data)" done Hope that helps! Thanks, Doug On Thu, Apr 4, 2013 at 8:23 AM, Phil Daws <uxbod () splatnix net> wrote:Hi, When Snort starts it writes specific information to /var/log/messages eg. Apr 4 12:01:40 fw1 snort[2951]: [ Port Based Pattern Matching Memory ] Apr 4 12:01:40 fw1 snort[2951]: +- [ Aho-Corasick Summary ] ------------------------------------- Apr 4 12:01:40 fw1 snort[2951]: | Storage Format : Full-Q Apr 4 12:01:40 fw1 snort[2951]: | Finite Automaton : DFA Apr 4 12:01:40 fw1 snort[2951]: | Alphabet Size : 256 Chars Apr 4 12:01:40 fw1 snort[2951]: | Sizeof State : Variable (1,2,4 bytes) Apr 4 12:01:40 fw1 snort[2951]: | Instances : 294 Apr 4 12:01:40 fw1 snort[2951]: | 1 byte states : 275 Apr 4 12:01:40 fw1 snort[2951]: | 2 byte states : 19 Apr 4 12:01:40 fw1 snort[2951]: | 4 byte states : 0 Apr 4 12:01:40 fw1 snort[2951]: | Characters : 249637 How can I redirect those messages to a separate file as it plays havoc with OSSEC :) I have tried adding snort.none to rsyslog.conf for /var/log/messages and then added snort.* to direct too another file. That did not work :( Any thoughts please ? ------------------------------------------------------------------------------ Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!-- Doug Burks http://securityonion.blogspot.com
-- Doug Burks http://securityonion.blogspot.com ------------------------------------------------------------------------------ Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snort and Syslog, (continued)
- Re: Snort and Syslog Jeremy Hoel (Apr 04)
- Re: Snort and Syslog Phil Daws (Apr 04)
- Re: Snort and Syslog Jefferson, Shawn (Apr 05)
- Re: Snort and Syslog Phil Daws (Apr 04)
- Re: Snort and Syslog Josh Bitto (Apr 04)
- Re: Snort and Syslog waldo kitty (Apr 04)
- Re: Snort and Syslog Jeremy Hoel (Apr 04)
- Re: Snort and Syslog Phil Daws (Apr 04)
- Re: Snort and Syslog waldo kitty (Apr 04)
- Re: Snort and Syslog Doug Burks (Apr 04)
- Re: Snort and Syslog Phil Daws (Apr 04)
- Re: Snort and Syslog Doug Burks (Apr 04)
- Re: Snort and Syslog Phil Daws (Apr 04)
- Re: Snort and Syslog Doug Burks (Apr 04)
- Re: Snort and Syslog Phil Daws (Apr 04)
- Re: Snort and Syslog Jeremy Hoel (Apr 04)