[Snort-users] Re: alert_syslog & alert_full (even with -l)

Chris Green cmg at ...671...
Tue Jan 30 14:37:24 EST 2001

Fabrice <fabrice at ...1224...> writes:

> Hello,
> (still for the logging with alert_syslog & alert_full simultaneusly)
> I already use the -l option, here is how i lauch snort:
>    /usr/sbin/snort -u snort -g snort -p -d -D -i eth0 -l
>    /var/log/snort -c
> /etc/snort/snort.conf
> and here is what i added in snort.conf:
>    ruletype redalert
>    {
>      type alert
>      output alert_full: /var/log/snort/alert
>      output alert_syslog: LOG_AUTHPRIV
>    }

This defines a new type of alert that gets logged differently than the
regular alert system.

You need to put

output alert_full: alert
output alert_syslog: LOG_AUTHPRIV LOG_ALERT

in your snort.conf ( _not_ inside the ruletype construct {}'s )

output alert_syslog: LOG_AUTH LOG_ALERT
output alert_fast: blah.fast
output database: log, postgresql, user=sprout dbname=snort

just worked for me with
snort -r snort-0125 at ...1248... -l . -c snort.conf )

you might be having problems with no logging priority being defined..

Chris Green <cmg at ...671...>
I've had a perfectly wonderful evening. But this wasn't it.
     -- Groucho Marx

More information about the Snort-users mailing list