Snort mailing list archives

Snort not logging to the /var/log/snort/alert file

From: ids () san rr com
Date: Fri, 26 Mar 2004 11:08:34 -0800

Hello-


I just wanted to give everyone an update on my alert loggin problem. I fixed everything. I took Jim's advice and 
rebuilt Snort from source and got it to again rewrite back to the alert file. What happened was I upgraded the version 
of Snort and didn't notice it no longer wrote to my /var/log/snort/alert file. Thats why Swatch didnt work. After 
rebuilding Snort and remaking the start up script everything is working beautifully again. I also learned a bunch of 
new things (like the CSV option...Thanks Jan!) and hopefully won't make the same mistake again. 

Thanks everyone for the great advice. 




Hmmm. Not sure about the swatch stuff, but you should not have to rebuild
snort at all.

I would first check a couple of basic things like:
Is there any snort process still running? (using ps -aef | grep snort)
Is the /var/log/snort/ partition full? (using df -k /var/log/snort)
Does root have write permission in there (using sudo touch
/var/log/snort/foo and seeing if "foo" is created)

You should be fine with permissions someting like this:

[hendrick@vall snort]$ ls -ald /var/log/snort
drwxr-xr-x  3827 root     root        90112 Mar 24 21:15 /var/log/snort
[hendrick@vall snort]$ ls -al /var/log/snort/alert
-rw-------    1 root     root        33210 Mar 24 21:15 /var/log/snort/alert
[hendrick@vall snort]$ 

If this looks OK but starting a new snort refuses to write to
/var/log/snort/alert (I'm not sure why not at that point)
you could try asking it to write somewhere else 

sudo mkdir /tmp/snortlogs
sudo snort -A Full -l /tmp/snortlogs

and see if it creates a /tmp/snortlogs/alert file.
If it does this OK, then something really wierd (that's a technical term :-)
has happened, and the filesystem won't let snort create one in that
directory (although I've never seen that happen...yet)

In that case, you might try asking if any process thinks it has that file
open:

[hendrick@vall snort]$ sudo fuser -v /var/log/snort/alert

                     USER        PID ACCESS COMMAND
/var/log/snort/alert root      18246 f....  snort

in this case, this snows my normally running snort process.

Or else you could be more general with fuser, asking it if any processes
have files open in the /var/log/snort directory:

[hendrick@vall hendrick]$ sudo fuser -av /var/log/snort

                     USER        PID ACCESS COMMAND
/var/log/snort       root      18246 ..c..  snort
                     root      18251 ..c..  snort
[hendrick@vall hendrick]$ 


Note that fuser will also allow you to send a signal to that process also
(man fuser for more options)
although once you have the PID, you can "sudo kill 18246" or whatever the
PID is.
Note that you should always try a normal "kill" first (it sends a SIGTERM to
the process)
but if this does not make it go away, try a "kill -9" or which sends a
SIGKILL that cannot be trapped by the running program and *should* kill it.


Now I really hate to even mention this, (it not being a Windows box and
all...) but it is *very remotely* possible that a reboot would be rquired to
clean this up (I have on *very* rare occasions seen times when even fuser
would not easily free up a stubborn process/filehandle)

But I am reasonably confident that either you have a directory permissions
thing, or that there is something causing problems with that filehandle and
you should be past the problem soon.

Hope this helps.

Jim





-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=ick
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users



 
 




-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

RE: Snort not logging to the /var/log/snort/alert file, (continued)
- RE: Snort not logging to the /var/log/snort/alert file Shawn Kottke (Mar 24)
- Re: RE: Snort not logging to the /var/log/snort/alert file ids (Mar 24)
  - Re: RE: Snort not logging to the /var/log/snort/alert file Michael Sconzo (Mar 24)
- Re: RE: Snort not logging to the /var/log/snort/alert file ids (Mar 24)
- Re: Snort not logging to the /var/log/snort/alert file ids (Mar 24)
- RE: Snort not logging to the /var/log/snort/alert file Shawn Kottke (Mar 24)
- RE: Snort not logging to the /var/log/snort/alert file Shawn Kottke (Mar 24)
- Re: RE: Snort not logging to the /var/log/snort/alert file ids (Mar 24)
- Re: RE: Snort not logging to the /var/log/snort/alert file Shawn Kottke (Mar 24)
- Re: RE: Snort not logging to the /var/log/snort/alert file Shawn Kottke (Mar 24)
- Snort not logging to the /var/log/snort/alert file ids (Mar 26)