Snort mailing list archives

RE: Alert OR syslog?

From: "Weiss, Jeffrey H." <Jeffrey.Weiss () Pleasantco com>
Date: Thu, 5 Dec 2002 10:56:32 -0700

Hi, Alberto,
Thanks for your response.
Reasons for 3 types of logging (may not be good reasons):
1. Binary format allows analysis tools be leveraged (snortsnarf).
2. Alert log provides local easily perused/tailed indicator of nasties and
falsies.
3. Syslog entries can be directed off-server to a remote central logging
server.
I could work without the alert log but don't understand why enabling syslog
disables it.

Not sure I understand your blame_cmg...new flag?
Thanks,
Jeffrey

-----Original Message-----
From: Alberto Gonzalez [mailto:albertg () cerebro violating us]
Sent: Thursday, December 05, 2002 2:00 PM
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Alert OR syslog?


In your command line, your doing binary logging (-b), full logging (-A 
full) and syslog (-s).
I haven't tried todo both syslog and FULL (waste of time?).

When I run it with the following command snort seems to run fine:

/usr/local/bin/snort -c /etc/snort/snort.conf -I -A full -s blame_cmg -i rl0

So give that a try, im not sure why someone wants 3 logging mechanisms, 
but hey!

Cheers!

   - Alberto

(sorry cmg for the syslog part :-)) <grin>


Weiss, Jeffrey H. wrote:

I am wondering why I cannot get both an alert log written AND 
syslogging to occur.

My command line invocation:
snort -b -c /usr/local/etc/snort/snort.conf -I -A full -l 
/logs/UA/snort -s -i qfe0

Pertinent snort.conf(?):
output alert_syslog: LOG_ALERT

Is there something too obvious here?
Thanks!
Jeffrey Weiss


-- 
The secret to success is to start from scratch and keep on scratching.




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Alert OR syslog? Weiss, Jeffrey H. (Dec 05)
- Re: Alert OR syslog? Alberto Gonzalez (Dec 05)
- <Possible follow-ups>
- RE: Alert OR syslog? Weiss, Jeffrey H. (Dec 05)
  - RE: Alert OR syslog? Don (Dec 05)
    - RE: Alert OR syslog? Don (Dec 05)
- RE: Alert OR syslog? Steve Halligan (Dec 05)
- RE: Alert OR syslog? Weiss, Jeffrey H. (Dec 05)
  - Re: Alert OR syslog? Alberto Gonzalez (Dec 05)
- RE: Alert OR syslog? Weiss, Jeffrey H. (Dec 05)
- RE: Alert OR syslog? L. Christopher Luther (Dec 06)
  - Re: RE: Alert OR syslog? Erek Adams (Dec 06)