Snort mailing list archives
Re: Snort and Syslog
From: Phil Daws <uxbod () splatnix net>
Date: Thu, 4 Apr 2013 19:47:40 +0100 (BST)
Thanks Josh, need to understand where Snort writes to. Is it a localX.* something or directly on the binary name. ----- Original Message ----- From: "Josh Bitto" <jbitto () onlineschool ca> To: "Phil Daws" <uxbod () splatnix net>, snort-users () lists sourceforge net Sent: Thursday, 4 April, 2013 4:45:20 PM Subject: RE: Snort and Syslog Your probably better off asking this question in rsyslog's mail group. I've gotten a lot of help from them. -----Original Message----- From: Phil Daws [mailto:uxbod () splatnix net] Sent: Thursday, April 04, 2013 5:24 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Snort and Syslog Hi, When Snort starts it writes specific information to /var/log/messages eg. Apr 4 12:01:40 fw1 snort[2951]: [ Port Based Pattern Matching Memory ] Apr 4 12:01:40 fw1 snort[2951]: +- [ Aho-Corasick Summary ] ------------------------------------- Apr 4 12:01:40 fw1 snort[2951]: | Storage Format : Full-Q Apr 4 12:01:40 fw1 snort[2951]: | Finite Automaton : DFA Apr 4 12:01:40 fw1 snort[2951]: | Alphabet Size : 256 Chars Apr 4 12:01:40 fw1 snort[2951]: | Sizeof State : Variable (1,2,4 bytes) Apr 4 12:01:40 fw1 snort[2951]: | Instances : 294 Apr 4 12:01:40 fw1 snort[2951]: | 1 byte states : 275 Apr 4 12:01:40 fw1 snort[2951]: | 2 byte states : 19 Apr 4 12:01:40 fw1 snort[2951]: | 4 byte states : 0 Apr 4 12:01:40 fw1 snort[2951]: | Characters : 249637 How can I redirect those messages to a separate file as it plays havoc with OSSEC :) I have tried adding snort.none to rsyslog.conf for /var/log/messages and then added snort.* to direct too another file. That did not work :( Any thoughts please ? ------------------------------------------------------------------------------ Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort and Syslog Phil Daws (Apr 04)
- Re: Snort and Syslog Jeremy Hoel (Apr 04)
- Re: Snort and Syslog Phil Daws (Apr 04)
- Re: Snort and Syslog Jefferson, Shawn (Apr 05)
- Re: Snort and Syslog Phil Daws (Apr 04)
- Re: Snort and Syslog Josh Bitto (Apr 04)
- Re: Snort and Syslog waldo kitty (Apr 04)
- Re: Snort and Syslog Jeremy Hoel (Apr 04)
- Re: Snort and Syslog Phil Daws (Apr 04)
- Re: Snort and Syslog waldo kitty (Apr 04)
- Re: Snort and Syslog Doug Burks (Apr 04)
- Re: Snort and Syslog Phil Daws (Apr 04)
- Re: Snort and Syslog Doug Burks (Apr 04)
- Re: Snort and Syslog Phil Daws (Apr 04)
- Re: Snort and Syslog Doug Burks (Apr 04)
- Re: Snort and Syslog Phil Daws (Apr 04)
- Re: Snort and Syslog Jeremy Hoel (Apr 04)
- <Possible follow-ups>
- Re: Snort and Syslog Lay, James (Apr 04)