Re: How to stop snort to log startup messages into syslog?

[Jeremy Hoel <jthoel () gmail com>]

It's not my scripts.. I would lookup the NSM scripts and maybe grab a
SecurityOnion live CD and check out it's startup scripts.

Also.. LOG is defined as:   LOG=$PROCESS_LOG_DIR/$SENSOR/snortu-$i.log




On Tue, Apr 15, 2014 at 5:50 PM, Gerhard Mourani <GMourani () prival ca> wrote:

>  Not clear, I can’t find the parameter related to $LOG in your message,
> seem to be inside the process_start script.
>
>
>  On Apr 15, 2014, at 1:25 PM, Jeremy Hoel <jthoel () gmail com> wrote:
>
>  Found it..
>
>  From the So mailing list..  (more info here -
> http://seclists.org/snort/2013/q2/55)
>
>  ---------------
> Hi Phil,
>
> In Security Onion, we start Snort using the NSMnow scripts which
> provide a function called process_start.  This function starts the
> process and writes the log to a dedicated log file (not syslog).  In
> the following code snippet, you can see that we're logging to $LOG,
> which ends up being /var/log/nsm/HOSTNAME-INTERFACE/snortu-1.log.
>
>                 # Start $IDS_LB_PROCS instances of Snort using pfring
> load-balancing
>                 for i in `seq 1 $IDS_LB_PROCS`; do
>                         PID=$PROCESS_PID_DIR/$SENSOR/snortu-$i.pid
>                         LOG=$PROCESS_LOG_DIR/$SENSOR/snortu-$i.log
>                         PERFMON=$SENSOR_LOG_DIR/snort-$i.stats
>                         UNI_DIR=$SENSOR_LOG_DIR/snort-$i
>                         mkdir -p $UNI_DIR
>                         chown $SENSOR_USER:$SENSOR_GROUP $UNI_DIR
>                         [ -z "$SKIP_SNORT_ALERT" ] && process_start
> "snort" "-c $SNORT_CONFIG -u $SENSOR_USER -g $SENSOR_GROUP -i
> $SENSOR_INTERFACE_SHORT -F /etc/nsm/$SENSOR/bpf-ids.conf -l $UNI_DIR
> --perfmon-file $PERFMON $SNORT_OPTIONS
> " "$PID" "$LOG" "snort-$i (alert data)"
>                 done
>
>
>
> On Tue, Apr 15, 2014 at 5:22 PM, Jeremy Hoel <jthoel () gmail com> wrote:
>
> > But that option is just for it's alerting output right? Not the
> > startup/shutdown messages (of which there are more then a few).  I
> > commented out the output line (output alert_syslog: LOG_LOCAL6 LOG_ALERT)
> > in my snort.conf and I still see the startup/shutdown messages.
> >
> >  For the OP - Security Onion does this (negates the messages in syslog)
> > and it does it by starting snort differently. I'm trying to find the thread
> > that talked about it.
> >
> >
> > On Tue, Apr 15, 2014 at 5:02 PM, Nicholas Mavis (nmavis) <
> > nmavis () cisco com> wrote:
> >
> > > You can turn off syslogging in your Snort.conf file. I would recommend
> > > reading through the following:
> > >
> > > http://manual.snort.org/node21.html
> > >
> > > -Nick
> > >
> > >
> > > On 4/15/14, 11:55 AM, "Gerhard Mourani" <GMourani () prival ca> wrote:
> > >
> > > > Hello list,
> > > >
> > > > I don¹t know if there is a way to start the Snort process without having
> > > > its startup messages being logged into syslog -> /var/log/messages?
> > > > I¹ve tried to start it with the following parameters without success,
> > > > still log startup messages into the /var/log/messages file.
> > > >
> > > > snort -c /etc/snort/snort.conf -D -g snort -q -N --daq afpacket
> > > --daq-var
> > > > buffer_size=512MB -i eth1
> > > >
> > > > Regards,
> > >
> > > > --------------------------------------------------------------------------
> > > > ----
> > > > Learn Graph Databases - Download FREE O'Reilly Book
> > > > "Graph Databases" is the definitive new guide to graph databases and
> > > their
> > > > applications. Written by three acclaimed leaders in the field,
> > > > this first edition is now available. Download your free book today!
> > > > http://p.sf.net/sfu/NeoTech
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users () lists sourceforge net
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > > >
> > > > Please visit http://blog.snort.org to stay current on all the latest
> > > > Snort news!
> > >
> > >
> > >
> > > ------------------------------------------------------------------------------
> > > Learn Graph Databases - Download FREE O'Reilly Book
> > > "Graph Databases" is the definitive new guide to graph databases and
> > > their
> > > applications. Written by three acclaimed leaders in the field,
> > > this first edition is now available. Download your free book today!
> > > http://p.sf.net/sfu/NeoTech
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest
> > > Snort news!

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!