[Snort-users] Re: alert_syslog & alert_full (even with -l)

Fabrice fabrice at ...1224...
Tue Jan 30 12:12:23 EST 2001


Hello,

(still for the logging with alert_syslog & alert_full simultaneusly)

I already use the -l option, here is how i lauch snort:
   /usr/sbin/snort -u snort -g snort -p -d -D -i eth0 -l /var/log/snort -c 
/etc/snort/snort.conf

and here is what i added in snort.conf:
   ruletype redalert
   {
     type alert
     output alert_full: /var/log/snort/alert
     output alert_syslog: LOG_AUTHPRIV
   }

All permissions are ok.

Syslog's config about for LOG_AUTHPRIV:
   authpriv.*                      /var/log/secure


Running:
The creation of a directory with the name of the ip and the adding
the small dump of the alert are working in both cases.

Alerts are logged into the /var/log/snort/alert but not in the
syslog file (in my case, /var/log/secure).

If I add the -s command line parameter, then the syslog
logging works, but no more the /var/log/snort/alert one.

What am I doing wrong?
(I use the rpm version of snort 1.7.0)

Thanks,

Fab





More information about the Snort-users mailing list