Snort mailing list archives
RE: disable /var/log/snort logging
From: "Nick White" <nwhite () avidbio com>
Date: Thu, 8 May 2003 09:10:42 -0700
Thanks LCL for your suggestions and documentation references. I now better understand how snort treats alerts verses logs. I've tried your suggestion with the following line in my snort.conf: output database: alert, mysql, log_null, user=snortusr password=fakepass dbname=snort host=localhost But it's still alerting to /var/log/snort. Whenever I use the -N option to start snort, it still alerts, but doesn't log any of the packet data. Snort is starting with -u snort -g snort -d -D -b -c /etc/snort/snort.conf. I've tried removing -b, but it still alerts to disk. Any other suggestions that I can try? Thanks again, NW -----Original Message----- From: L. Christopher Luther [mailto:CLuther () Xybernaut com] Sent: Wednesday, May 07, 2003 8:49 PM To: Nick White Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] disable /var/log/snort logging Nick, Snort uses two output facilities - one for alerts and one for logs [0] (a must read). Your snort.conf only specifies an output facility for the alerts, so I'm thinking that Snort therefore falls back to its 'default' logging facility (i.e., /var/log).
From what I've read and understand, you have two choices:
1) '-N' on the command line (yes, I know you said it didn't work) 2) In snort.conf, add a 'output log_null' after the 'output database: alert ...' Also: "Note that command line logging options override any output options specified in the configuration file. This allows debugging of configuration issues quickly via the command line." [1] This could be why specifying '-N' on the command line disables the output plugin for MySQL. Try the 'output log_null' in snort.conf and let us know what happens. HTH, Christopher [0] http://www.theadamsfamily.net/~erek/snort/logging_methods.txt [1] http://www.snort.org/docs/writing_rules/chap1.html#tth_sEc1.4.1 -----Original Message----- From: Nick White [mailto:nwhite () avidbio com] Sent: Wednesday, May 07, 2003 7:48 PM Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] disable /var/log/snort logging You're right, the -N option turns off packet logging. Sure it doesn't write to the disk, but it turns off packet logging within mysql as well - not cool. Surely there is a way to have snort log everything to mysql (even packet logging), without dumping data to the hard drive. I just can't figure out how. I'm starting snort with -b (binary logging) option, which takes care of it crashing after a few minutes under a really heavy load. Even still, logging to the disk is a total waste because I'll never do anything with the binary logs. -----Original Message----- From: Anderson Johnston [mailto:andy () umbc edu] Sent: Tuesday, May 06, 2003 3:36 PM To: Nick White Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] disable /var/log/snort logging The -N option should suppress logging (while allowing alerts). Caveats: 1. I don't know if it will stop logs to mysql, too. 2. The option doesn't seem to be working on my system (Solaris 8) under Snort 2.0. - Andy On Tue, 6 May 2003, Nick White wrote:
Hi All, I'm fairly new with snort, so go easy on me. I'm running snort and logging to mysql just fine. The problem is, it's also logging to /var/log/snort. I need to figure out how to disable this logging to disk. I've looked at all the switches, and I can't seem to figure it out. I tried -A none, but then it stopped alerting to mysql. I also tried -l /dev/null, but it didn't like that one. Snort starts as a service via: /usr/local/bin/snort -u snort -g snort -d -D -c /etc/snort/snort.conf In snort.conf, I log to mysql with: output database: alert, mysql, user=snortusr password=fakepass dbname=snort host=localhost I'm trying to kill snort with as much data as I can throw at it, and
it
always dies after a few minutes with: May 6 14:54:34 localhost snort: FATAL ERROR: OpenLogFile() => fopen(/var/log/snort/10.10.1.30/UDP:138-138) log file: Not a directory But I KNOW that the snort user has full permission to /var/log/snort. But I don't need logging to disk. It's a waste. I only want it to
log
to mysql. Thanks for your help! - nick white ------------------------------------------------------- Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara The only event dedicated to issues related to Linux enterprise
solutions
www.enterpriselinuxforum.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list
------------------------------------------------------------------------ ------ ** Andy Johnston (andy () umbc edu) * pager: 410-678-8949 ** ** Manager of IT Security * PGP key:(afj2002) 4096/8448B056 ** ** Office of Information Technology, UMBC * 4A B4 96 64 D9 B6 EF E3 21 9A ** ** 410-455-2583 (v)/410-455-1065 (f) * 46 1A 37 11 F5 6C 84 48 B0 56 ** ------------------------------------------------------------------------ ------ ------------------------------------------------------- Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara The only event dedicated to issues related to Linux enterprise solutions www.enterpriselinuxforum.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara The only event dedicated to issues related to Linux enterprise solutions www.enterpriselinuxforum.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- disable /var/log/snort logging Nick White (May 06)
- Re: disable /var/log/snort logging Anderson Johnston (May 06)
- <Possible follow-ups>
- RE: disable /var/log/snort logging Nick White (May 07)
- Re: disable /var/log/snort logging Bamm Visscher (May 08)
- RE: disable /var/log/snort logging Joesph Bowling (May 07)
- RE: disable /var/log/snort logging L. Christopher Luther (May 07)
- RE: disable /var/log/snort logging Nick White (May 08)
- RE: disable /var/log/snort logging Nick White (May 08)
- Re: disable /var/log/snort logging Bamm Visscher (May 08)
- RE: disable /var/log/snort logging L. Christopher Luther (May 08)
- RE: disable /var/log/snort logging L. Christopher Luther (May 08)
- RE: disable /var/log/snort logging Nick White (May 08)