[Snort-users] Logging alerts two places at once

Chris Green cmg at ...671...
Fri Jan 26 09:29:31 EST 2001


Peter Bates <peter.bates at ...79...> writes:

> Hello all...
> 
> >Yeah, specify the output plugins in the conf file.  For what you're
> >asking for, you'd want to do something like:
> >
> >output syslog: LOG_AUTH LOG_ALERT
> >output full: alert
> 
> I was about to ask the same question (thanks Lance!)...
> 
> I've got the above in my snort.conf, but no joy
> in terms of the file logging...
> 

You need to not specify -A and -s options on the command line.  You
should see a warning about command line options overriding the config
file.

> I'm using (as the command-line option)
> 
> /snort -u snort -g snort -A full -de -s -D -i eth1 -N -c /etc/snort/snort.conf
> 
> and it logs fine to syslog, but no other
> recording in the 'alert' file...
> 
> Or should the startup commands be really
> simple, and all the complex stuff be in the snort.conf?

yes, I believe so.
-- 
Chris Green <cmg at ...671...>
Life is a series of rude awakenings.
                -- R.V. Winkle




More information about the Snort-users mailing list