Re: problem with alert_syslog and internal statistics...

[Erek Adams <erek () snort org>]

On Thu, 13 Feb 2003, Bob Hoffmaster wrote:

> Internal statistics are not being written to the syslog facility.
>
> (I have been searching the archives for this problem, but, no luck)
>
> Snort alert messages and PID are successfully being written to the
> /var/adm/messages

I see you're on Solaris.

> BUT when I 'kill -USR1 <snort pid>', the internal statistics summary
> information is not written to the /var/adm/messages file.
>
> Starting snort this way: 'snort -c /snort.conf' and/or 'snort -N -c
> /snort.conf
>
> my snort.conf has this entry:
>       output alert_syslog: LOG_AUTH LOG_ALERT LOG_PID
>
> my syslog.conf file (Solaris OS) has this entry:
>       *.alert         /var/adm/messages

My initial thoughts are "Your're wrong." since it works for me.  In the
testlab I've got a Solaris 2.7 box w/all the latest patches (2/01/03).  I
have a sincere feeling that it's something more to do with syslog.conf
than anything else....  But I've been known to be wrong!  :)

I'd put all local[0-9].* or AUTH facilities into a file and then see where
they end up.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.NET email is sponsored by: FREE  SSL Guide from Thawte
are you planning your Web Server Security? Click here to get a FREE
Thawte SSL guide and find the answers to all your  SSL security issues.
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users