Snort mailing list archives
Re: Useful logging of performance statistics
From: "Crook, Parker" <Parker_Crook () reyrey com>
Date: Tue, 22 Jun 2010 17:05:38 -0400
Wally,
Here's my sources:
source s_all {
# message generated by Syslog-NG
internal();
# standard Linux log source (this is the default place for the syslog()
# function to send logs to)
unix-stream("/dev/log");
# messages from the kernel
file("/proc/kmsg" log_prefix("kernel: "));
# use the following line if you want to receive remote UDP logging messages
# (this is equivalent to the "-r" syslogd flag)
# udp();
};
-Parker
-----Original Message-----
From: Jason Wallace [mailto:jason.r.wallace () gmail com]
Sent: Tuesday, June 22, 2010 4:53 PM
To: Crook, Parker
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Useful logging of performance statistics
Out of curiosity what do you have for sources? Is s_all just snort logs?
Wally
On Tue, Jun 22, 2010 at 3:55 PM, Crook, Parker <Parker_Crook () reyrey com> wrote:
Good afternoon all,
I recently switched over to syslog-ng in my lab environment after living
with the status-quo for way too long (On Debian, Snort logs to
/var/log/syslog). After being lazy and scrolling the few hundred/thousand
lines to get to the rules and preprocessor stats in my log files, I wanted a
better way. Now that I am using syslog-ng, I have:
#DESTINATION
destination snort_info { file("/var/log/snort_info"); };
destination snort_warn { file("/var/log/snort_warn"); };
destination snort_notice { file("/var/log/snort_notice"); };
destination snort_crit { file("/var/log/snort_crit"); };
destination snort_err { file("/var/log/snort_err"); };
destination snort_emerg { file("/var/log/snort_emerg"); };
#FILTER
filter f_snort_info { level(info); };
filter f_snort_notice { level(notice); };
filter f_snort_warn { level(warn); };
filter f_snort_crit { level(crit); };
filter f_snort_err { level(err); };
filter f_snort_emerg { level(emerg); };
#LOG
log { source(s_all); filter(f_snort_info); destination(snort_info); };
log { source(s_all); filter(f_snort_notice); destination(snort_notice); };
log { source(s_all); filter(f_snort_warn); destination(snort_warn); };
log { source(s_all); filter(f_snort_crit); destination(snort_crit); };
log { source(s_all); filter(f_snort_err); destination(snort_err); };
log { source(s_all); filter(f_snort_emerg); destination(snort_emerg); };
And was kind of hoping for a nice breakup of logging; alas:
4 drwxr-xr-x 2 snort snort 4096 2010-06-22 15:04 snort
12 -rw-r----- 1 root adm 8465 2010-06-22 15:04 snort_err
452 -rw-r----- 1 root adm 455815 2010-06-22 15:17 snort_info
588 -rw-r----- 1 root adm 597570 2010-06-22 15:04 snort_notice
24 -rw-r----- 1 root adm 22932 2010-06-22 15:04 snort_warn
So I found the Preprocessor Profile Statistics & Rule Profile Statistics in
snort_notice, but I still have to rummage through a bunch of cruft just to
get what I am looking for. So my question is: Is there a better way? I
want to log my rule profile & preprocessor profile statistics to a log unto
themselves for easy(ier) historical comparison.
Thanks,
Parker
------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
lucky parental unit. See the prize list and enter to win:
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Useful logging of performance statistics Crook, Parker (Jun 22)
- Re: Useful logging of performance statistics Jason Wallace (Jun 22)
- Re: Useful logging of performance statistics Crook, Parker (Jun 22)
- Re: Useful logging of performance statistics Jason Wallace (Jun 22)
- Re: Useful logging of performance statistics Crook, Parker (Jun 23)
- Re: Useful logging of performance statistics Crook, Parker (Jun 24)
- Re: Useful logging of performance statistics Crook, Parker (Jun 22)
- Re: Useful logging of performance statistics Jason Wallace (Jun 22)