Snort mailing list archives
RE: disable /var/log/snort logging
From: "Joesph Bowling" <joeybowling () hotmail com>
Date: Wed, 07 May 2003 19:59:04 -0400
Delete them
From: "Nick White" <nwhite () avidbio com> CC: <snort-users () lists sourceforge net> Subject: RE: [Snort-users] disable /var/log/snort logging Date: Wed, 7 May 2003 16:48:13 -0700 You're right, the -N option turns off packet logging. Sure it doesn't write to the disk, but it turns off packet logging within mysql as well - not cool. Surely there is a way to have snort log everything to mysql (even packet logging), without dumping data to the hard drive. I just can't figure out how. I'm starting snort with -b (binary logging) option, which takes care of it crashing after a few minutes under a really heavy load. Even still, logging to the disk is a total waste because I'll never do anything with the binary logs. -----Original Message----- From: Anderson Johnston [mailto:andy () umbc edu] Sent: Tuesday, May 06, 2003 3:36 PM To: Nick White Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] disable /var/log/snort logging The -N option should suppress logging (while allowing alerts). Caveats: 1. I don't know if it will stop logs to mysql, too. 2. The option doesn't seem to be working on my system (Solaris 8) under Snort 2.0. - Andy On Tue, 6 May 2003, Nick White wrote: > Hi All, > I'm fairly new with snort, so go easy on me. I'm running snort and > logging to mysql just fine. The problem is, it's also logging to > /var/log/snort. I need to figure out how to disable this logging to > disk. I've looked at all the switches, and I can't seem to figure it > out. I tried -A none, but then it stopped alerting to mysql. I also > tried -l /dev/null, but it didn't like that one. > > Snort starts as a service via: > /usr/local/bin/snort -u snort -g snort -d -D -c /etc/snort/snort.conf > > In snort.conf, I log to mysql with: > output database: alert, mysql, user=snortusr password=fakepass > dbname=snort host=localhost > > I'm trying to kill snort with as much data as I can throw at it, and it > always dies after a few minutes with: > May 6 14:54:34 localhost snort: FATAL ERROR: OpenLogFile() => > fopen(/var/log/snort/10.10.1.30/UDP:138-138) log file: Not a directory > > But I KNOW that the snort user has full permission to /var/log/snort. > But I don't need logging to disk. It's a waste. I only want it to log > to mysql. > > Thanks for your help! > - nick white > > > ------------------------------------------------------- > Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara > The only event dedicated to issues related to Linux enterprise solutions > www.enterpriselinuxforum.com > > _______________________________________________ > Snort-users mailing list > Snort-users () lists sourceforge net > Go to this URL to change user options or unsubscribe: > https://lists.sourceforge.net/lists/listinfo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.php3?list > ------------------------------------------------------------------------ ------ ** Andy Johnston (andy () umbc edu) * pager: 410-678-8949 ** ** Manager of IT Security * PGP key:(afj2002) 4096/8448B056 ** ** Office of Information Technology, UMBC * 4A B4 96 64 D9 B6 EF E3 21 9A ** ** 410-455-2583 (v)/410-455-1065 (f) * 46 1A 37 11 F5 6C 84 48 B0 56 ** ------------------------------------------------------------------------ ------ ------------------------------------------------------- Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara The only event dedicated to issues related to Linux enterprise solutions www.enterpriselinuxforum.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_________________________________________________________________STOP MORE SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail
------------------------------------------------------- Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara The only event dedicated to issues related to Linux enterprise solutions www.enterpriselinuxforum.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- disable /var/log/snort logging Nick White (May 06)
- Re: disable /var/log/snort logging Anderson Johnston (May 06)
- <Possible follow-ups>
- RE: disable /var/log/snort logging Nick White (May 07)
- Re: disable /var/log/snort logging Bamm Visscher (May 08)
- RE: disable /var/log/snort logging Joesph Bowling (May 07)
- RE: disable /var/log/snort logging L. Christopher Luther (May 07)
- RE: disable /var/log/snort logging Nick White (May 08)
- RE: disable /var/log/snort logging Nick White (May 08)
- Re: disable /var/log/snort logging Bamm Visscher (May 08)
- RE: disable /var/log/snort logging L. Christopher Luther (May 08)
- RE: disable /var/log/snort logging L. Christopher Luther (May 08)
- RE: disable /var/log/snort logging Nick White (May 08)