Snort mailing list archives

Re: output alert_syslog

From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 14 Jan 2003 14:47:29 -0500

reconfigure your syslogd to not log local5 for /var/log/messages by addinglocal5.none to the specifier for that logfile:

*.err;*.notice;kern.debug;lpr.info;mail.crit;news.err;local5.none/var/log/messages


At 05:04 PM 1/14/2003 -0200, Giovanni P. Tirloni wrote:

Hi,

 I've configured snort 1.9.0 to use syslog and edited syslog.conf so it logs
 local5.alert to /var/log/snort.alert but it's logging to that file AND
 /var/log/messages. I'd like to log to snort.alert only.

 Here is the relevant information:

 snort.conf:

 [...]
 output alert_syslog: LOG_LOCAL5 LOG_ALERT
 output log_unified: filename snort.log, limit 128
 [...]


 syslog.conf:

 *.err;*.notice;kern.debug;lpr.info;mail.crit;news.err   /var/log/messages
 security.*                                      /var/log/security
 auth.notice;auth.info;authpriv.info             /var/log/auth.log
 mail.info                                       /var/log/maillog
 cron.*                                          /var/log/cron
 *.emerg                                         *
 local5.alert                                    /var/log/snort.alert
 console.info                                    /var/log/console.log


 # ls -l /var/log/snort.alert
 -rw-r--r--  1 root  wheel  2015 Jan 14 16:45 snort.alert

 # ls -l /var/log/snort/
 -rw-r--r--  1 snort  snort  489509 Jan 14 16:54 scan.log
 -rw-r--r--  1 snort  snort    1119 Jan 14 16:45 snort.alert
 -rw-r--r--  1 snort  snort     452 Jan 14 12:56 snort.log.1042555093
 -rw-r--r--  1 snort  snort     514 Jan 14 12:58 snort.log.1042556289
 -rw-r--r--  1 snort  snort      24 Jan 14 16:40 snort.log.1042569610

 I'm running snort with this command line:

/usr/local/bin/snort -D -c /usr/local/etc/snort.conf -i fxp0 -p -z -usnort \

  -g snort -m 022

 Thanks in advance (and sorry if it is obvious),

--
Giovanni P. Tirloni
gpt () tirloni org


-------------------------------------------------------
This SF.NET email is sponsored by: Take your first step towards giving
your online business a competitive advantage. Test-drive a Thawte SSL
certificate - our easy online guide will show you how. Click here to get
started: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0027en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------

This SF.NET email is sponsored by: Take your first step towards givingyour online business a competitive advantage. Test-drive a Thawte SSLcertificate - our easy online guide will show you how. Click here to getstarted: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0027en

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

output alert_syslog Giovanni P. Tirloni (Jan 14)
- Re: output alert_syslog Matt Kettler (Jan 14)
- <Possible follow-ups>
- RE: output alert_syslog Steve Halligan (Jan 14)