Alert facility and output facility

["Jan van den Berg" <jan () e-commercepark com>]

Hi there, 

 

I was reading
http://www.theadamsfamily.net/~erek/snort/logging_methods.txt and was
wondering what is meant with the so-called altering and output
facilities. Is this like swatch and logwatch or is it something else?

Other question: when running Snort it logs to MySQL and also keeps a log
in /var/log/snort (as described in
http://www.snort.org/docs/faq.html#2.2) what is the difference with the
database?

 

These questions came to mind as I am thinking of ways to generate emails
when specific alerts are put out. Answering my question would be of help
but even better some-one with a concrete example of e-mail alerting.
There must be someone out there who has dealt with this too?

I checked out logwatch and swatch (tip from:
http://www.snort.org/docs/faq.html#5.8-) but their sites are kind of
low-info (http://swatch.sourceforge.net/). 

Also I seem confused as these tools deal with log-files and not
databases; how would one go about that? It seems to me you want the
alerts from database, right?

 

Regards,


Jan van den Berg