[Snort-users] Repost: Syslog, but I don't want it

Marc Thompson Marc.Thompson at ...2101...
Fri Jun 1 12:27:48 EDT 2001


You showed me your snort startup line:

	snort -dD -h 111.222.333.444/24 -l $LOGPATH -c $RULESPATH/$RULESNAME

In my snort configuration file, I was setting tcpdump logging, so hadn't
set the -l $LOGPATH option.  I added the -l $LOGPATH argument on the command
line and it seems to have prevented syslog logging, which is what I want.
Also, it hasn't affected the tcpdump output, which I need.  All is well.

So, looks to me that if you start snort without the -l option, it will 
assume that alerts need to be sent to the syslog facility.  With the -l
option, it sends alerts to the logging dir specified and *not* syslog.

Thanks to everyone who provided me with insights and solutions on
this issue.  I think that the action of the -l option is probably by
design and ensures that alerts get sent somewhere in the event that
-l is not used.

So, this issue is resolved for me and it took less than 24 hours.  If I got
that quality of support from commercial vendors I wouldn't have to use
open/free software :-)

-Marc Thompson

Marc Thompson
IT Site Manager
BOPS, Inc.
7800 Shoal Creek Blvd. Suite 200N
Austin, TX 78757
Direct: (512)407-1103
Fax:  (512)346-8407

This message is for the sole use of the intended recipient(s) and may
confidential and privileged information.  Any unauthorized review, use,
disclosure, or distribution is prohibited.  If you are not the intended
please contact the sender and destroy all copies of the original message.

-----Original Message-----
From: Neil Dickey [mailto:neil at ...1633...]
Sent: Friday, June 01, 2001 10:24 AM
To: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Repost: Syslog, but I don't want it

Marc Thompson <Marc.Thompson at ...2101...> wrote:

>You recommended that I run snort without the -D (Daemon-mode)
>option.  I tried this, ran nmap, alerts fired but weren't sent
>to syslog.  This is the behavior that I want, so your idea worked.
>So, it seems that running snort in Daemon mode enables syslog
>logging via the LOCAL facility.  I imagine that this is by design.

For what it's worth, here's the command line in the script I use
to start Snort1.7 on my system ( Solaris2.7 ):

  snort -dD -h 111.222.333.444/24 -l $LOGPATH -c $RULESPATH/$RULESNAME -o

I think my variables make enough sense that you don't need me to
translate them.  ;-)  This arrangement works fine, in daemon mode,
and *without* logging to syslog.

Perhaps there is a problem with the RedHat implementation of Snort,
but it doesn't exist under Solaris.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois

Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list