Snort mailing list archives

RE: disable /var/log/snort logging

From: "Joesph Bowling" <joeybowling () hotmail com>
Date: Wed, 07 May 2003 19:59:04 -0400

Delete them

From: "Nick White" <nwhite () avidbio com>
CC: <snort-users () lists sourceforge net>
Subject: RE: [Snort-users] disable /var/log/snort logging
Date: Wed, 7 May 2003 16:48:13 -0700

You're right, the -N option turns off packet logging.  Sure it doesn't
write to the disk, but it turns off packet logging within mysql as well
- not cool.  Surely there is a way to have snort log everything to mysql
(even packet logging), without dumping data to the hard drive.  I just
can't figure out how.  I'm starting snort with -b (binary logging)
option, which takes care of it crashing after a few minutes under a
really heavy load.  Even still, logging to the disk is a total waste
because I'll never do anything with the binary logs.

-----Original Message-----
From: Anderson Johnston [mailto:andy () umbc edu]
Sent: Tuesday, May 06, 2003 3:36 PM
To: Nick White
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] disable /var/log/snort logging


The -N option should suppress logging (while allowing alerts).

Caveats:
        1. I don't know if it will stop logs to mysql, too.
        2. The option doesn't seem to be working on my
                system  (Solaris 8) under Snort 2.0.

                                        - Andy

On Tue, 6 May 2003, Nick White wrote:

> Hi All,
> I'm fairly new with snort, so go easy on me.  I'm running snort and
> logging to mysql just fine.  The problem is, it's also logging to
> /var/log/snort.  I need to figure out how to disable this logging to
> disk.  I've looked at all the switches, and I can't seem to figure it
> out.  I tried -A none, but then it stopped alerting to mysql.  I also
> tried -l /dev/null, but it didn't like that one.
>
> Snort starts as a service via:
> /usr/local/bin/snort -u snort -g snort -d -D -c /etc/snort/snort.conf
>
> In snort.conf, I log to mysql with:
> output database: alert, mysql, user=snortusr password=fakepass
> dbname=snort host=localhost
>
> I'm trying to kill snort with as much data as I can throw at it, and
it
> always dies after a few minutes with:
> May  6 14:54:34 localhost snort: FATAL ERROR: OpenLogFile() =>
> fopen(/var/log/snort/10.10.1.30/UDP:138-138) log file: Not a directory
>
> But I KNOW that the snort user has full permission to /var/log/snort.
> But I don't need logging to disk.  It's a waste.  I only want it to
log
> to mysql.
>
> Thanks for your help!
> - nick white
>
>
> -------------------------------------------------------
> Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
> The only event dedicated to issues related to Linux enterprise
solutions
> www.enterpriselinuxforum.com
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list
>

------------------------------------------------------------------------
------
** Andy Johnston (andy () umbc edu)          *            pager:
410-678-8949  **
** Manager of IT Security                 * PGP key:(afj2002)
4096/8448B056 **
** Office of Information Technology, UMBC *   4A B4 96 64 D9 B6 EF E3 21
9A **
** 410-455-2583 (v)/410-455-1065 (f)      *   46 1A 37 11 F5 6C 84 48 B0
56 **
------------------------------------------------------------------------
------



-------------------------------------------------------
Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
The only event dedicated to issues related to Linux enterprise solutions
www.enterpriselinuxforum.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_________________________________________________________________

STOP MORE SPAM with the new MSN 8 and get 2 months FREE*http://join.msn.com/?page=features/junkmail




-------------------------------------------------------
Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
The only event dedicated to issues related to Linux enterprise solutions
www.enterpriselinuxforum.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

disable /var/log/snort logging Nick White (May 06)
- Re: disable /var/log/snort logging Anderson Johnston (May 06)
- <Possible follow-ups>
- RE: disable /var/log/snort logging Nick White (May 07)
  - Re: disable /var/log/snort logging Bamm Visscher (May 08)
- RE: disable /var/log/snort logging Joesph Bowling (May 07)
- RE: disable /var/log/snort logging L. Christopher Luther (May 07)
- RE: disable /var/log/snort logging Nick White (May 08)
- RE: disable /var/log/snort logging Nick White (May 08)
  - Re: disable /var/log/snort logging Bamm Visscher (May 08)
- RE: disable /var/log/snort logging L. Christopher Luther (May 08)
- RE: disable /var/log/snort logging L. Christopher Luther (May 08)
- RE: disable /var/log/snort logging Nick White (May 08)