Snort mailing list archives
Re: Snort and Syslog
From: Phil Daws <uxbod () splatnix net>
Date: Thu, 4 Apr 2013 19:20:51 +0100 (BST)
Hello Doug,
Very much appreciate the response. At the moment with a stock Snort install it starts with the command:
/usr/sbin/snort -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort/eth0
so looking at your start script one just needs to append the logfile to the end ?
Does that make sense ?
----- Original Message -----
From: "Doug Burks" <doug.burks () gmail com>
To: "Phil Daws" <uxbod () splatnix net>
Cc: snort-users () lists sourceforge net
Sent: Thursday, 4 April, 2013 6:55:27 PM
Subject: Re: [Snort-users] Snort and Syslog
Hi Phil,
In Security Onion, we start Snort using the NSMnow scripts which
provide a function called process_start. This function starts the
process and writes the log to a dedicated log file (not syslog). In
the following code snippet, you can see that we're logging to $LOG,
which ends up being /var/log/nsm/HOSTNAME-INTERFACE/snortu-1.log.
# Start $IDS_LB_PROCS instances of Snort using pfring
load-balancing
for i in `seq 1 $IDS_LB_PROCS`; do
PID=$PROCESS_PID_DIR/$SENSOR/snortu-$i.pid
LOG=$PROCESS_LOG_DIR/$SENSOR/snortu-$i.log
PERFMON=$SENSOR_LOG_DIR/snort-$i.stats
UNI_DIR=$SENSOR_LOG_DIR/snort-$i
mkdir -p $UNI_DIR
chown $SENSOR_USER:$SENSOR_GROUP $UNI_DIR
[ -z "$SKIP_SNORT_ALERT" ] && process_start
"snort" "-c $SNORT_CONFIG -u $SENSOR_USER -g $SENSOR_GROUP -i
$SENSOR_INTERFACE_SHORT -F /etc/nsm/$SENSOR/bpf-ids.conf -l $UNI_DIR
--perfmon-file $PERFMON $SNORT_OPTIONS
" "$PID" "$LOG" "snort-$i (alert data)"
done
Hope that helps!
Thanks,
Doug
On Thu, Apr 4, 2013 at 8:23 AM, Phil Daws <uxbod () splatnix net> wrote:
Hi, When Snort starts it writes specific information to /var/log/messages eg. Apr 4 12:01:40 fw1 snort[2951]: [ Port Based Pattern Matching Memory ] Apr 4 12:01:40 fw1 snort[2951]: +- [ Aho-Corasick Summary ] ------------------------------------- Apr 4 12:01:40 fw1 snort[2951]: | Storage Format : Full-Q Apr 4 12:01:40 fw1 snort[2951]: | Finite Automaton : DFA Apr 4 12:01:40 fw1 snort[2951]: | Alphabet Size : 256 Chars Apr 4 12:01:40 fw1 snort[2951]: | Sizeof State : Variable (1,2,4 bytes) Apr 4 12:01:40 fw1 snort[2951]: | Instances : 294 Apr 4 12:01:40 fw1 snort[2951]: | 1 byte states : 275 Apr 4 12:01:40 fw1 snort[2951]: | 2 byte states : 19 Apr 4 12:01:40 fw1 snort[2951]: | 4 byte states : 0 Apr 4 12:01:40 fw1 snort[2951]: | Characters : 249637 How can I redirect those messages to a separate file as it plays havoc with OSSEC :) I have tried adding snort.none to rsyslog.conf for /var/log/messages and then added snort.* to direct too another file. That did not work :( Any thoughts please ? ------------------------------------------------------------------------------ Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- Doug Burks http://securityonion.blogspot.com ------------------------------------------------------------------------------ Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort and Syslog Phil Daws (Apr 04)
- Re: Snort and Syslog Jeremy Hoel (Apr 04)
- Re: Snort and Syslog Phil Daws (Apr 04)
- Re: Snort and Syslog Jefferson, Shawn (Apr 05)
- Re: Snort and Syslog Phil Daws (Apr 04)
- Re: Snort and Syslog Josh Bitto (Apr 04)
- Re: Snort and Syslog waldo kitty (Apr 04)
- Re: Snort and Syslog Jeremy Hoel (Apr 04)
- Re: Snort and Syslog Phil Daws (Apr 04)
- Re: Snort and Syslog waldo kitty (Apr 04)
- Re: Snort and Syslog Doug Burks (Apr 04)
- Re: Snort and Syslog Phil Daws (Apr 04)
- Re: Snort and Syslog Doug Burks (Apr 04)
- Re: Snort and Syslog Phil Daws (Apr 04)
- Re: Snort and Syslog Doug Burks (Apr 04)
- Re: Snort and Syslog Phil Daws (Apr 04)
- Re: Snort and Syslog Jeremy Hoel (Apr 04)
- <Possible follow-ups>
- Re: Snort and Syslog Lay, James (Apr 04)