Snort mailing list archives

Re: logging to syslog

From: "Madhav Diwan" <mdiwan () wagweb com>
Date: 20 Feb 2002 13:33:18 -0500

Thank you .. That works quite well.

Madhav



On Wed, 2002-02-20 at 11:14, Chris Green wrote:

Madhav Diwan <mdiwan () wagweb com> writes:

Is there a way to log alerts to the /var/log/secure file instead of

the

/var/log/messages file?

 I am using redhat 7.2  snort 1.8.3-5
and the following commandline in /etc/init.d/snortd:

      daemon /usr/sbin/snort -l /var/log/snort -d -D \
               -i $INTERFACE -c /etc/snort/snort.conf

 /etc/snort/snort.conf is configured to log to syslog

 output alert_syslog: LOG_AUTH LOG_ALERT


rh 7.2 syslog.conf:
# The authpriv file has restricted access.
authpriv.*                     /var/log/secure

try:
output alert_syslog: LOG_AUTHPRIV LOG_ALERT

according to rh 7.2 syslog(3),

 LOG_AUTH
        security/authorization messages (DEPRECATED Use LOG_AUTHPRIV
instead)

 LOG_AUTHPRIV
              security/authorization messages (private)



obsd 3.0's

LOG_AUTH      The authorization system: login(1), su(1), getty(8), etc.

LOG_AUTHPRIV  The same as LOG_AUTH, but logged to a file readable only
by
              selected individuals.

so it does seem atleast 2 people agree that AUTHPRIV stuff goes to
secure which is where trusted admins can look rather than pimply faced
youths.

but the messages end up in the messages file
and i want them to go to the secure file as they did in snort 1.7.
--

Chris Green <cmg () uab edu>
To err is human, to moo bovine.





Note: The information contained in this message may be privileged and confidential and protected from disclosure.  If 
the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this 
message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication in error, please notify us immediately by 
replying to the message and deleting it from your computer.  Thank you.  Wagner Weber & Williams

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

logging to syslog Madhav Diwan (Feb 20)
- Re: logging to syslog Chris Green (Feb 20)
  - Re: logging to syslog Madhav Diwan (Feb 20)
- <Possible follow-ups>
- RE: logging to syslog Chris Arnold (Feb 20)