Snort mailing list archives

Previous By Date Next
Previous By Thread Next

snort not logging to both syslog and specified log directory

From: M Venkatesh <cryptonika () yahoo com>
Date: Wed, 29 Aug 2001 12:36:45 -0700 (PDT)
Hi all,
       I want snort to log to a specific log directory
(/var/log/snort/LOGS/DMZ/DATE.HOUR) and to syslog.
SUBNET ADDRESS is the address of the subnet I wish to
monitor. DATE.HOUR is the PREVIOUS DATE.HOUR file used
by the hourly_wrapup script available in the Snorticus
collection for sensor-console deployment of snort.I
have slightly modified the script to start an instance
of snort using the -l and -s switch. Snort logs to the
appropriate file (/var/log/secure) in syslog. It also
creates one directory for each source IP address that
caused an alert under the monitored subnet's directory
(SUBNET-ADDRESS)in the specified log
directory(/var/log/snort/LOGS/DMZ/DATE.HOUR). However,
it doesn't create the "alert" file (the file that logs
all the alerts irrespective of their source IP
addresses)in this specified directory. Therefore, the
snortsnarf perl script at the management console is
reporting zero alerts for that hour. The "alert" file
is created in the specified directory when I use only
the -l switch.
I encounter the same problem when I use the -l and the
-M switch (for smbalerts using smbclients). As a
work-around, I started two instances of snort for the
same interface. One instance used the -l switch alone,
the other used the -M switch alone. It worked. Is this
the right way to do? Are there any performance
implications? If I need to log to syslog, I intend to
start a third instance !! Please suggest a better
method if one exists! (I can't specify the output
plug-ins in the rules file. The command line switch
would over ride it!).
Thanks in advance
M.P.Venkatesh

__________________________________________________
Do You Yahoo!?
Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger
http://im.yahoo.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: