Re: logging location

["Joel Esler (jesler)" <jesler () cisco com>]

On Sep 8, 2014, at 4:50 PM, Sean Browne <seanpbrowne () gmail com<mailto:seanpbrowne () gmail com>> wrote:


Hi,

For testing/learning I have one rule:

alert ip any any -> any any ( msg:"Fred Alert";content:"fred";nocase; sid: 1; )

When this rule is triggered, a message is written to my /var/log/messages file. How can I tell snort to log it 
somewhere else? I want to index the alerts/messages with SPLUNK but I don't want all the other stuff found in 
/var/log/messages.

I also use the command line option b so any captured data is saved in a pcap type file.  This is completely separate 
right? There are the traffic dumps in one locations and msgs/alerts somewhere else?

You can configure multiple alert methods.  You can have your alerts go to splunk, and archive in pcap format.

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos

------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce.
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!