Snort mailing list archives
RE: Snort PID in /var/log/messages
From: "Basselgia, Barry A Mr (NAF Atsugi)" <BABasselgia () atsugi navy mil>
Date: Tue, 1 Feb 2005 16:13:58 +0900
I looked back through the archives and couldn't find an answer to this. Is there a way to get snort to include the process ID along with the process name when it logs to syslog? I have multiple instances of snort and barnyard running on my sensors. Barnyard 0.2.0 includes the PID with everything it logs to syslog. Making it very easy to figure out which instance an alert comes from. But, Snort 2.3.0 doesn't. I've looked through the syslog code for both Snort and Barnyard. They seem to be similar, and both seem to have a LOG_PID option. I just can't figure out why Snort isn't doing it. Is there a switch that needs to be turned on for Snort? Barry -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of sekure Sent: Thursday, December 02, 2004 4:33 AM To: tbaker () accessway net Cc: Snort Subject: Re: [Snort-users] Snort PID in /var/log/messages That's not really what I am asking... When snort daemonizes itself it logs its startup messages to syslog, which then end up in /var/log/messages or whatever you designate. Usually, most daemons include the process id with every message to syslog. Snort hasn't been. Example: Dec 1 11:35:30 hostname snort: Initializing daemon mode Dec 1 11:35:30 hostname snort: PID path stat checked out ok, PID path set to /var/run/ Dec 1 11:35:30 hostname snort: Writing PID "17944" to file "/var/run//snort_eth3.pid" Dec 1 11:35:31 hostname barnyard[17945]: Initializing daemon mode Notice how there is the PID of the barnyard process in the braces, but not of snort. I have 3 snort instances running on one machine, and as a result i have no way of knowing which one daemon logs which messages. On Wed, 1 Dec 2004 11:53:27 -0500, Tom Baker <tbaker () accessway net> wrote:
You will see the line: Nov 29 12:07:14 ogre snort: Writing PID "YOUR PID HERE" to file "/var/run//snort_fxp0.pid" -T -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of sekure Sent: Wednesday, December 01, 2004 11:41 AM To: Snort Subject: [Snort-users] Snort PID in /var/log/messages Can someone please do a quick check and see if the PID of snort is recorded in /var/log/messages or wherever snort logs it's startup information. For some reason snort is the only process on my machine that does NOT log it's PID to syslog. I've seen this in 2.2 and now in 2.3RC1. Thanks ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Snort PID in /var/log/messages Basselgia, Barry A Mr (NAF Atsugi) (Jan 31)
- Re: Snort PID in /var/log/messages Edin Dizdarevic (Feb 01)
- Re: Snort PID in /var/log/messages Jeremy Hewlett (Feb 01)
- <Possible follow-ups>
- RE: Snort PID in /var/log/messages Basselgia, Barry A Mr (NAF Atsugi) (Feb 01)
- Re: Snort PID in /var/log/messages Justin Heath (Feb 10)