Bamm Visscher bamm at ...539...
Mon Apr 9 23:07:42 EDT 2001

Probably because by default, the output database example is before the
output to syslog.  And if you try to run snort with this config (output
database; output syslog), then alerts only will only be logged to the
syslog function.  It took me a while to figure this one out. By chance,
I finally swapped the order (output syslog; output database) and bingo
all was well. If this is documented somewhere, I missed it.


Joe McAlerney wrote:
> If you wanted to specify a certain set of rules to only log to syslog
> and the database, then yes.  Otherwise, you can just add the output
> lines to your configuration file and completely bypass making an
> additional rule type.
> output alert_syslog: LOG_AUTH LOG_ALERT
> output database: log, mysql, user=xxx dbname=xxx host=xxx password=xxxx
> I suspect this is what you are trying to do.  Other people have been
> confused with the ruletype example in the supplied snort.conf file as
> well.  I'm guessing that seeing the two (popular) output types in that
> example could lead one to believe that is the simplest/best way to use
> them together.
> -Joe M.

More information about the Snort-users mailing list