RE: Great news! Snort not logging to the /var/log/snort/aler tfile

["Jim Hendrick" <jrhendri () maine rr com>]

Alan,

I am now curious if you are logging via syslog (which might explain why it
is going to the messages file)
That would be specified as "alert_syslog" somewhere in your
<snortdir>/etc/snort.conf or whatever conf file you are pointing to when
snort starts.

It might really help you to rebuild snort a few times from source, reading
and understanding the configuration defaults.

Most things are specified at compile time using options to "configure" or at
run time with options in the snort.conf or on the command line
(in that order, i.e. command-line overrides conf overrides compile default)

General tip:
learn "find" and "grep" and your life building source will be much happier.
Here's a quick couple of examples:

in the <snortdir>/doc directory, look for which files contain the string
"/var/log/snort"

[hendrick@vall doc]$ grep -l "/var/log/snort" *
FAQ
README
USAGE
grep: signatures: Is a directory
snort_manual.tex
[hendrick@vall doc]$ 

The "-l" tells grep to simply list the filenames.

Or find all files in this subtree and do the same thing to them:

[hendrick@vall snort-2.1.1-RC1]$ find . -type f -exec grep -l
"/var/log/snort" {} \;
./ChangeLog
./snort.8
./src/parser.c
./src/snort.h
./src/parser.o
./src/snort.o
./src/snort
./doc/README
./doc/FAQ
./doc/snort_manual.tex
./doc/USAGE
./contrib/rpm/snortd
./contrib/rpm/snort.logrotate
./contrib/rpm/snort.org.spec
./contrib/rpm/snort.sysconfig
./contrib/address_config.sh
[hendrick@vall snort-2.1.1-RC1]$ 

Aha! Looks like a header file (./src/snort.h) has that in it... Look for it
in that file (without the "-l" this time)

[hendrick@vall snort-2.1.1-RC1]$ grep "/var/log/snort" ./src/snort.h
    #define DEFAULT_LOG_DIR            "/var/log/snort"
[hendrick@vall snort-2.1.1-RC1]$ 

Not to discourage you from posting questions to mailing lists, but you will
find your own brain has a shorter response time once you learn a couple of
these basic techniques :-)

Later,
Jim



-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Alan
Sent: Thursday, March 25, 2004 4:30 AM
To: Jim Hendrick
Cc: snort-users () lists sourceforge net
Subject: Great news! [Snort-users] Snort not logging to the
/var/log/snort/aler tfile


Everyone-


I have some great news! :)

1. I found out where my alerts are going.
2. I got Swatch to work!

Ok. I was browsing my /var/log/messages file and found out that the alerts
are being written to this file. Here is an output of my /var/log/messages
file:




-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users