Re: syslog output problem

[Joel Esler <eslerj () gmail com>]

It looks like you have local0.none in your /var/log/messages line.  I can't
remember, since it's been awhile since I've used the Syslog output module,
but, does syslog.conf process all log lines and sends alerts to all files
listed, or only the first one it comes across.
J

On Thu, Mar 12, 2009 at 11:57 AM, Terry <td3201 () gmail com> wrote:

> Thank you for your response.  I modified the command line so those
> options are no longer in there:
> /usr/sbin/snort -d -D -i eth1 -s -u snort -g snort -c
> /etc/snort/snort.conf -l /var/log/snort
>
> I am still not seeing this in my foo.log as expected.  Again, here is
> the output in snort.conf:
> output alert_syslog: LOG_LOCAL0 LOG_ALERT
>
> And my syslog.conf:
> *.info;mail.none;authpriv.none;cron.none;local0.none    /var/log/messages
> authpriv.*                                              /var/log/secure
> local0.*                                                /var/log/foo.log
>
>
> I am seeing some stuff in /var/log/messages for some reason:
> Mar 12 10:57:03 XXXXXX snort[9072]: [1:882:6] WEB-CGI calendar access
> [Classification: Attempted Information Leak] [Priority: 2]: {TCP}
> XXXXXX:36759 -> XXXXX:80
>
>
>
>
>
> On Thu, Mar 12, 2009 at 9:41 AM, Joel Esler <eslerj () gmail com> wrote:
> > You are using -b and -A on the command line.  Command line options
> override
> > snort.conf options.
> > J
> >
> > On Thu, Mar 12, 2009 at 9:58 AM, Terry <td3201 () gmail com> wrote:
> > > Hello,
> > >
> > > I can't seem to get syslog and snort working well together.   Here's
> what
> > > I got:
> > >
> > > commands I've tried:
> > > /usr/sbin/snort -A fast -b -d -D -i eth1 -s -u snort -g snort -c
> > > /etc/snort/snort.conf -l /var/log/snort
> > > /usr/sbin/snort -b -d -D -i eth1 -s -u snort -g snort -c
> > > /etc/snort/snort.conf -l /var/log/snort
> > >
> > > snort.conf:
> > > output alert_syslog: LOG_LOCAL0 LOG_ALERT
> > >
> > > syslog.conf:
> > > local0.*
> > >     /var/log/foo.log
> > > *.info;mail.none;authpriv.none;cron.none;local0.none
>  /var/log/messages
> > > I see stuff going into /var/log/messages but that's it.  What am I
> > > missing?
> ------------------------------------------------------------------------------
> > > Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
> > > powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
> > > easily build your RIAs with Flex Builder, the Eclipse(TM)based
> development
> > > software that enables intelligent coding and step-through debugging.
> > > Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> >
> > --
> > Joel Esler
> > T: 302-223-5974 (-) Gtalk: jesler () sourcefire com
> > [m]



-- 
Joel Esler
T: 302-223-5974 (-) Gtalk: jesler () sourcefire com
[m]

------------------------------------------------------------------------------
Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
easily build your RIAs with Flex Builder, the Eclipse(TM)based development
software that enables intelligent coding and step-through debugging.
Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users