Snort mailing list archives
Useful logging of performance statistics
From: "Crook, Parker" <Parker_Crook () reyrey com>
Date: Tue, 22 Jun 2010 15:55:27 -0400
Good afternoon all,
I recently switched over to syslog-ng in my lab environment after living with the status-quo for way too long (On
Debian, Snort logs to /var/log/syslog). After being lazy and scrolling the few hundred/thousand lines to get to the
rules and preprocessor stats in my log files, I wanted a better way. Now that I am using syslog-ng, I have:
#DESTINATION
destination snort_info { file("/var/log/snort_info"); };
destination snort_warn { file("/var/log/snort_warn"); };
destination snort_notice { file("/var/log/snort_notice"); };
destination snort_crit { file("/var/log/snort_crit"); };
destination snort_err { file("/var/log/snort_err"); };
destination snort_emerg { file("/var/log/snort_emerg"); };
#FILTER
filter f_snort_info { level(info); };
filter f_snort_notice { level(notice); };
filter f_snort_warn { level(warn); };
filter f_snort_crit { level(crit); };
filter f_snort_err { level(err); };
filter f_snort_emerg { level(emerg); };
#LOG
log { source(s_all); filter(f_snort_info); destination(snort_info); };
log { source(s_all); filter(f_snort_notice); destination(snort_notice); };
log { source(s_all); filter(f_snort_warn); destination(snort_warn); };
log { source(s_all); filter(f_snort_crit); destination(snort_crit); };
log { source(s_all); filter(f_snort_err); destination(snort_err); };
log { source(s_all); filter(f_snort_emerg); destination(snort_emerg); };
And was kind of hoping for a nice breakup of logging; alas:
4 drwxr-xr-x 2 snort snort 4096 2010-06-22 15:04 snort
12 -rw-r----- 1 root adm 8465 2010-06-22 15:04 snort_err
452 -rw-r----- 1 root adm 455815 2010-06-22 15:17 snort_info
588 -rw-r----- 1 root adm 597570 2010-06-22 15:04 snort_notice
24 -rw-r----- 1 root adm 22932 2010-06-22 15:04 snort_warn
So I found the Preprocessor Profile Statistics & Rule Profile Statistics in snort_notice, but I still have to rummage
through a bunch of cruft just to get what I am looking for. So my question is: Is there a better way? I want to log
my rule profile & preprocessor profile statistics to a log unto themselves for easy(ier) historical comparison.
Thanks,
Parker
------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Useful logging of performance statistics Crook, Parker (Jun 22)
- Re: Useful logging of performance statistics Jason Wallace (Jun 22)
- Re: Useful logging of performance statistics Crook, Parker (Jun 22)
- Re: Useful logging of performance statistics Jason Wallace (Jun 22)
- Re: Useful logging of performance statistics Crook, Parker (Jun 23)
- Re: Useful logging of performance statistics Crook, Parker (Jun 24)
- Re: Useful logging of performance statistics Crook, Parker (Jun 22)
- Re: Useful logging of performance statistics Jason Wallace (Jun 22)