Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Useful logging of performance statistics

From: Jason Wallace <jason.r.wallace () gmail com>
Date: Tue, 22 Jun 2010 16:53:20 -0400
Out of curiosity what do you have for sources? Is s_all just snort logs?

Wally

On Tue, Jun 22, 2010 at 3:55 PM, Crook, Parker <Parker_Crook () reyrey com> wrote:

Good afternoon all,



I recently switched over to syslog-ng in my lab environment after living
with the status-quo for way too long (On Debian, Snort logs to
/var/log/syslog).  After being lazy and scrolling the few hundred/thousand
lines to get to the rules and preprocessor stats in my log files, I wanted a
better way.  Now that I am using syslog-ng, I have:

#DESTINATION

destination snort_info { file("/var/log/snort_info"); };

destination snort_warn { file("/var/log/snort_warn"); };

destination snort_notice { file("/var/log/snort_notice"); };

destination snort_crit { file("/var/log/snort_crit"); };

destination snort_err { file("/var/log/snort_err"); };

destination snort_emerg { file("/var/log/snort_emerg"); };



#FILTER

filter f_snort_info { level(info); };

filter f_snort_notice { level(notice); };

filter f_snort_warn { level(warn); };

filter f_snort_crit { level(crit); };

filter f_snort_err { level(err); };

filter f_snort_emerg { level(emerg); };



#LOG

log { source(s_all); filter(f_snort_info); destination(snort_info); };

log { source(s_all); filter(f_snort_notice); destination(snort_notice); };

log { source(s_all); filter(f_snort_warn); destination(snort_warn); };

log { source(s_all); filter(f_snort_crit); destination(snort_crit); };

log { source(s_all); filter(f_snort_err); destination(snort_err); };

log { source(s_all); filter(f_snort_emerg); destination(snort_emerg); };



And was kind of hoping for a nice breakup of logging; alas:

  4 drwxr-xr-x 2 snort       snort   4096 2010-06-22 15:04 snort

 12 -rw-r----- 1 root        adm     8465 2010-06-22 15:04 snort_err

452 -rw-r----- 1 root        adm   455815 2010-06-22 15:17 snort_info

588 -rw-r----- 1 root        adm   597570 2010-06-22 15:04 snort_notice

24 -rw-r----- 1 root        adm    22932 2010-06-22 15:04 snort_warn



So I found the Preprocessor Profile Statistics & Rule Profile Statistics in
snort_notice, but I still have to rummage through a bunch of cruft just to
get what I am looking for.  So my question is:  Is there a better way?  I
want to log my rule profile & preprocessor profile statistics to a log unto
themselves for easy(ier) historical comparison.



Thanks,

Parker

------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
lucky parental unit.  See the prize list and enter to win:
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate 
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: