RE: Problems logging to syslog and mysqlsimultaneously

["Michael Steele" <michaels () silicondefense com>]

Frank,

I'm running Windows and I am logging to local syslog using Snort.conf,
I'm not using the -s switch. I'm also logging to MySQL.

I'm going to forward this to Chris Ried and see what he has to say about
this. This may be useful, but why am I able to log to the local syslog
using snort.conf and others are having problems?

Michael Steele | System Engineer / System Administrator     
mailto:michaels () silicondefense com
http://www.silicondefense.com

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Frank
Knobbe
Sent: June 21, 2002 8:48 PM
To: Michael Steele
Cc: 'Don'; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Problems logging to syslog and
mysqlsimultaneously

On Wed, 2002-06-19 at 19:38, Michael Steele wrote:
> Don,
>
> Hummm... This is bizarre... I have 37k alerts in my Syslog, so I know
it
> works. Are you sure you don't have some service turned off that is
> preventing the alerts from arriving? 
>
> What version of Snort?
>
> Do you have alerts in the syslog?
>
> Can you send me your snort.conf?


Not at all bizarre. I think this affects only the Windows version.
Here's why. The syslog config in snort.conf is useless under Windows
machines since it does not specify an IP address of a syslog server.
Windows not have a native syslog thingy, so without specifying an IP
address, Snort doesn't log. Again, only under Windows. Under *nix, the
syslog config in snort.conf works fine.

If you specify a syslog server with -s in the command line, you enable
Snort-win32 to log to syslog. However, the command line option overrides
the snort.conf, so other outputs don't work.

The solution is to hack the code. You can have Snort accept the -s
option, and at the same time still use snort.conf outputs. So after the
hack, you can log to syslog and *SQL.

In snort.c, withing ParseCmdLine, you'll find:

#ifdef WIN32
            case 'E':                /* log alerts to Event Log */
                pv.syslog_flag = 1;
                pv.syslog_remote_flag = 0;
                DebugMessage(DEBUG_INIT, "Logging alerts to Event
Log\n");
                pv.alert_cmd_override = 1;
                break;
#endif

Just remove the >pv.alert_cmd_override = 1;< and you can specify -s
without overriding the snort.conf.

Regards,
Frank






-------------------------------------------------------
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users