[Snort-users] Help with output alert_syslog

Joe McAlerney joey at ...47...
Fri Apr 27 13:37:23 EDT 2001


Hi Sean,

Sean Redmond wrote:
> 
> I'm confused about configuring output plugins. In my snort.conf I have the line
> 
>      output alert_syslog: snort.alert

Do you mean alert_full here?

> which works fine, but I can't get the syslog output working. If I have in
> snort.conf:
> 
>      output alert_syslog: LOG_LOCAL5 LOG_ALERT
> 
> and in /etc/syslog.conf:
> 
>      local5.*    /var/log/snort
> 
> Shouldn't that work? Traffic get logged in snort.alert (in the directory I
> specified with the -l switch on the command line) but not in /var/log/snort
> (This is snort 1.7, on RedHat 6.1).

-l will override what you have in your configuration file.  Remove that
and use a configuration like this:

output alert_full: snort.alert
output alert_syslog: LOG_LOCAL5 LOG_ALERT

Does that work for you?

-Joe M.

-- 
|   Joe McAlerney     joey at ...155...   |
| Silicon Defense - Technical Support for Snort |
|       http://www.silicondefense.com/          |
+--                                           --+




More information about the Snort-users mailing list