[Snort-users] SOLVED: Logging alerts two places at once

Peter Bates peter.bates at ...79...
Mon Jan 29 12:01:37 EST 2001

Hello all...

I've been bothering Marty with this one
for a while, so having finally solved it,
I'd be interested in any verification from others
as to whether it is a bug in snort itself, or
just a bug in my convoluted setup!

The whole thing started with Lance S requesting
confirmation of the configuration required to both
log to syslog, and also do full alerts to the usual file...

I wanted to do exactly the same thing, and tried so many
different combinations without success...

As various people had suggested,

output alert_syslog: LOG_AUTH LOG_ALERT
output alert_full: alert

in the snort.conf file, and then removal of
all references to logging (i.e. -A, -s, etc.)
in the command-line, should work...

I however found it would seemingly do 1 or the other...

I tried:

1) Checking permissions on the /var/log/snort directory
2) Creating /var/log/snort/alert by hand, restarting snort
and seeing if it sprung to life...
3) Disabling the syslog line to see if they were somehow
4) Removing -N from my command-line, resulting obviously
in the seperate IP address based logs appearing, but still
no single 'alert' file

In the end it was the lack of

-l /path/to/where/you/want/it/logged

in my command-line that was stopping it.

Has anyone else noticed this, or can confirm
it as a bug in general?

I didn't consider this for a while, as all of the
documentation I was reading implied it defaulted to
/var/log/snort (automatically created, in my case, by the RPM)
if a path wasn't specified by -l...

I can now, however, sit back and watch the fireworks
quite happily...

Peter Bates, Systems Support Officer, Network Support Team.
London School of Hygiene & Tropical Medicine.
Telephone:0207-927 2124 / Fax:0207-436 5389 / Pager: 07625 255362

More information about the Snort-users mailing list