Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort 2.9.9.0 miss syslog messages

From: Marcin Dulak <marcin.dulak () gmail com>
Date: Thu, 2 Mar 2017 12:45:36 +0100
Wouldn't be better to have a template unit file, and start two services
separately?

https://fedoramagazine.org/systemd-template-unit-files/
https://wiki.archlinux.org/index.php/snort#Inline_mode

What do you currently do when only one of your instances dies?

Marcin


On Thu, Mar 2, 2017 at 11:41 AM, Eric Deherve <eric.deherve () homesend com>
wrote:


Hello


Before snort 2.9.9.0 I have one syslog messages "Commencing packet
processing" per interface

 In my case two .

snort[6348]: Commencing packet processing (pid=6348)

snort[6901]: Commencing packet processing (pid=6901)



Since snort 2.9.9.0 I have only syslog message for the first interface
with correct PID , I see with audit.log the second PID but no syslog
message.

The second process for the second interface is like mute.

snort[27616]: Commencing packet processing (pid=27616)



and from audit.log =

type=SYSCALL msg=audit(1488409331.365:382058): arch=c000003e syscall=54
success=yes exit=0 a0=7 a1=107 a2=1 a3=7ffc9b53ea40 items=0 ppid=1
pid=27857 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="snort" exe="/usr/sbin/snort-plain"
subj=system_u:system_r:snort_t:s0 key=(null)



Snort seems good to work :

       Active: active (running) since Thu 2017-03-02 00:02:11 CET; 11h ago

         Docs: man:systemd-sysv-generator(8)

      Process: 27529 ExecStop=/etc/rc.d/init.d/snortd stop (code=exited,
status=0/SUCCESS)

      Process: 27547 ExecStart=/etc/rc.d/init.d/snortd start
(code=exited, status=0/SUCCESS)

       CGroup: /system.slice/snortd.service

               |-27616 /usr/sbin/snort -A fast -b -d -D -i ens256 -u snort
-g snort -c /etc/snort/snort.conf -l /var/log/snort/ens256

               `-27857 /usr/sbin/snort -A fast -b -d -D -i ens161 -u snort
-g snort -c /etc/snort/snort.conf -l /var/log/snort/ens161



But I need messages of syslog for the monitoring.





Anybody has the same problem or the solution?



Eric

------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: