Re: Syslog trouble

[John Sage <jsage () finchhaven com>]

Michael:

I was surprised at the -s 127.0.0.1 syntax (somebody else had 10.0.0.1 I 
think..)

I'm not seeing how man snort talks about the switch -s in a way that 
makes it want an IP after it...

One thing I've noticed is that when you make the transition to using 
snort.conf, a lot of the command line switches are contradictory, and 
don't generate error messages but don't *work*, either ;-)

...anyway, how's /etc/syslog.conf set up?

cd to /var/log and try "grep snort messages" or "grep snort daemon" and 
see if you can find anything..

Basic stuff:

If you say ps ax are you seeing klogd and syslogd running?

Is anything getting logged at all?

HTH..

- John

--
John Sage
FinchHaven, Vashon Island, WA, USA
http://www.finchhaven.com/
mailto:jsage () finchhaven com
"The web is so, like, five minutes ago..."


Michael J Clark wrote:

> Im using RH7.1.  As per the previous message,  I tried -s 127.0.0.1 and 
> no luck, get a parse error.  I tried making a daemon entry and changing 
> it to LOG_DAEMON.  Still no luck :(
>
>
>
>
> > Michael:
> >
> > You don't say what OS you're using, but I'm not sure that matters a lot 
> > (well, it *may* matter some, but I dunno.. ;-)
> >
> > Under Linux 2.2.14 I have in snort.conf:
> >
> > # Use one or more syslog facilities as arguments
> > # DAEMON = facility; ALERT = priority at man syslog.conf(5)
> > #
> > output alert_syslog: LOG_DAEMON LOG_ALERT
> >
> > And in /etc/syslog.conf I have:
> >
> > daemon.*          /var/log/daemon
> >
> > and:
> >
> > *.info;*.notice;*.warn;\
> >       mail.none;news.none;authpriv.none     /var/log/messages
> >
> > Messages appear specifically in /var/log/messages and /var/log/daemon
> >
> > And messages are picked up out of those by Psionic's logcheck and mailed 
> > to me on several boxen..
> >
> > snort command line:
> >
> > snort -b -i ppp0 -c /usr/local/snort-1.7/snort.conf &
> >
> > HTH..
> >
> > - John
> >
> > --
> > John Sage
> > FinchHaven, Vashon Island, WA, USA
> > http://www.finchhaven.com/
> > mailto:jsage () finchhaven com
> > "The web is so, like, five minutes ago..."
> >
> > Michael J Clark wrote:
> >
> >
> > > Hey guys,
> > >
> > > Im sure this is an easy question but its been giving me trouble for a while.
> > >
> > > I can't seem to get anything to log to syslog.  Logging is fine in the 
> > > directories (Im using 1.7).


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users