Snort mailing list archives

Re: snort and syslog

From: John Sage <jsage () finchhaven com>
Date: Mon, 23 Jul 2001 09:34:29 -0700

Douglas:

Do you have an entry for the AUTH facility in /etc/syslog.conf (or it'sequivalent..) on your system?

The first reference (LOG_AUTH) is to the facility, and the second(LOG_ALERT) is to the priority level (see: man syslog.conf)


FWIW, I decided to say:

output alert_syslog: LOG_DAEMON LOG_ALERT

to get output via syslog, having an entry in /etc/syslog.conf like this:

# kern.*/dev/consolekern.*/var/log/kernel# daemon.*/dev/consoledaemon.*/var/log/daemon


HTH..

- John

--
John Sage
FinchHaven, Vashon Island, WA, USA
http://www.finchhaven.com/
mailto:jsage () finchhaven com
"The web is so, like, five minutes ago..."


Douglas F. Elznic wrote:

Hello,
I have a real easy question about snort and syslog. i am obviously
missing someting...

 I have the follwoning line in my snort.conf:

output alert_syslog: LOG_AUTH LOG_ALERT

Snort gets started like this:
echo -n "Starting snort: "
        daemon /usr/sbin/snort -u snort -g snort  -d -D \
        -l /var/log/snort -b -i $INTERFACE  -c /etc/snort/snort.conf

and I thought I should send the messages to a remote host with a syslog
entry like this:

snort.*                @loghost

But that does not work. if I do *.* i get all the messages sent to the
remote host like you would expect. How do I get it to only send snort
messages?

Thanks in advance. I know I am missing simething real stupid here...


--
+------------------+---------------------------------------------------+
|  Douglas Elznic  |        GPG Key: <dfe () anize org> 0x13300731        |
+------------------+---------------------------------------------------+
|  Thinker-@-Large | Pub Key:                                          |
|   dfe () anize org  | http://web.syr.edu/~dfelznic/dfe.asc              |
| dfelznic () syr edu | Fingerprint:                                      |
|  dfe () lsb syr edu | EF9C 7E3C 0327 EAAF 1E20 5299 0805 7531 1330 0731 |
| http://anize.org | * This key will be used for all email addresses * |
+----------------------------------------------------------------------+
|         All emails should be accompanied by a gpg signature.         |
+----------------------------------------------------------------------+

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

snort and syslog Douglas F. Elznic (Jul 22)
- Re: snort and syslog John Sage (Jul 23)
- <Possible follow-ups>
- RE: snort and syslog Shriman Gurung (Jul 23)