[Snort-devel] Snort PID in /var/log/messages
Basselgia, Barry A Mr (NAF Atsugi)
BABasselgia at ...2714...
Wed Feb 2 23:19:39 EST 2005
Moved this from Snort Users it seemed to be more appropriate here.
I think I have a 95% solution to having snort include it's PID in the syslog
I made the following change in spo_alert_syslog.c about line 127
was openlog("snort", data->options, data-Facility);
changed openlog("snort", LOG_PID | data->options, data->facility);
This is kind of dirty. There is already code in spo_alert_syslog.c to set
data->options, but it doesn't seem to be working, when I checked
data->options its null. I'll keep looking at the code to see if I can
figure out why data->options isn't getting set.
After this change most of the events Snort sends to syslog include the PID.
Apparently during initialization Snort makes a few calls to syslog() before
it does an openlog(). So, the first 2 dozen or so entries don't include the
PID. These entries show snorts config options. I'm going to look through
the code to find out the first place Snort calls syslog() and find a good
place to move the openlog code.
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Jeremy
Sent: Wednesday, February 02, 2005 4:12 AM
Subject: Re: [Snort-users] Snort PID in /var/log/messages
On Tue, Feb 01, Basselgia, Barry A Mr (NAF Atsugi) wrote:
> I looked back through the archives and couldn't find an answer to this.
> Is there a way to get snort to include the process ID along with the
> name when it logs to syslog?
Sekure's original request to add the PID with every snort entry into
syslog came in too late to be included in 2.3. However, this is
currently being considered for 2.4 (patches welcomed).
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
More information about the Snort-devel