Snort mailing list archives

Re: Snort and Syslog

From: waldo kitty <wkitty42 () windstream net>
Date: Thu, 04 Apr 2013 12:38:13 -0500

On 4/4/2013 10:45, Josh Bitto wrote:

Your probably better off asking this question in rsyslog's mail group. I've gotten a lot of help from them.


or even better, report it to OSSEC so it can be fixed and not have the problems 
any more... one has to wonder what all the other OSSEC using sites do since this 
info is always posted... i just checked a live snort 2.8.something installation 
and it posts this info, too... i know there are folks using OSSEC who used to 
run snort 2.8...

-----Original Message-----
From: Phil Daws [mailto:uxbod () splatnix net]
Sent: Thursday, April 04, 2013 5:24 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Snort and Syslog

Hi,

When Snort starts it writes specific information to /var/log/messages eg.

Apr  4 12:01:40 fw1 snort[2951]: [ Port Based Pattern Matching Memory ] Apr  4 12:01:40 fw1 snort[2951]: +- [ 
Aho-Corasick Summary ] -------------------------------------
Apr  4 12:01:40 fw1 snort[2951]: | Storage Format    : Full-Q
Apr  4 12:01:40 fw1 snort[2951]: | Finite Automaton  : DFA
Apr  4 12:01:40 fw1 snort[2951]: | Alphabet Size     : 256 Chars
Apr  4 12:01:40 fw1 snort[2951]: | Sizeof State      : Variable (1,2,4 bytes)
Apr  4 12:01:40 fw1 snort[2951]: | Instances         : 294
Apr  4 12:01:40 fw1 snort[2951]: |     1 byte states : 275
Apr  4 12:01:40 fw1 snort[2951]: |     2 byte states : 19
Apr  4 12:01:40 fw1 snort[2951]: |     4 byte states : 0
Apr  4 12:01:40 fw1 snort[2951]: | Characters        : 249637

How can I redirect those messages to a separate file as it plays havoc with OSSEC :) I have tried adding snort.none 
to rsyslog.conf for /var/log/messages and then added snort.* to direct too another file. That did not work :(

Any thoughts please ?




------------------------------------------------------------------------------
Minimize network downtime and maximize team effectiveness.
Reduce network management and security costs.Learn how to hire 
the most talented Cisco Certified professionals. Visit the 
Employer Resources Portal
http://www.cisco.com/web/learning/employer_resources/index.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Snort and Syslog Phil Daws (Apr 04)
- Re: Snort and Syslog Jeremy Hoel (Apr 04)
  - Re: Snort and Syslog Phil Daws (Apr 04)
    - Re: Snort and Syslog Jefferson, Shawn (Apr 05)
- Re: Snort and Syslog Josh Bitto (Apr 04)
  - Re: Snort and Syslog waldo kitty (Apr 04)
    - Re: Snort and Syslog Jeremy Hoel (Apr 04)
  - Re: Snort and Syslog Phil Daws (Apr 04)
- Re: Snort and Syslog Doug Burks (Apr 04)
  - Re: Snort and Syslog Phil Daws (Apr 04)
    - Re: Snort and Syslog Doug Burks (Apr 04)
    - Re: Snort and Syslog Phil Daws (Apr 04)
    - Re: Snort and Syslog Doug Burks (Apr 04)
- <Possible follow-ups>
- Re: Snort and Syslog Lay, James (Apr 04)