[Snort-users] Repost: Syslog, but I don't want it
Marc.Thompson at ...2101...
Fri Jun 1 12:27:48 EDT 2001
You showed me your snort startup line:
snort -dD -h 111.222.333.444/24 -l $LOGPATH -c $RULESPATH/$RULESNAME
In my snort configuration file, I was setting tcpdump logging, so hadn't
set the -l $LOGPATH option. I added the -l $LOGPATH argument on the command
line and it seems to have prevented syslog logging, which is what I want.
Also, it hasn't affected the tcpdump output, which I need. All is well.
So, looks to me that if you start snort without the -l option, it will
assume that alerts need to be sent to the syslog facility. With the -l
option, it sends alerts to the logging dir specified and *not* syslog.
Thanks to everyone who provided me with insights and solutions on
this issue. I think that the action of the -l option is probably by
design and ensures that alerts get sent somewhere in the event that
-l is not used.
So, this issue is resolved for me and it took less than 24 hours. If I got
that quality of support from commercial vendors I wouldn't have to use
open/free software :-)
IT Site Manager
7800 Shoal Creek Blvd. Suite 200N
Austin, TX 78757
This message is for the sole use of the intended recipient(s) and may
confidential and privileged information. Any unauthorized review, use,
disclosure, or distribution is prohibited. If you are not the intended
please contact the sender and destroy all copies of the original message.
From: Neil Dickey [mailto:neil at ...1633...]
Sent: Friday, June 01, 2001 10:24 AM
To: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Repost: Syslog, but I don't want it
Marc Thompson <Marc.Thompson at ...2101...> wrote:
>You recommended that I run snort without the -D (Daemon-mode)
>option. I tried this, ran nmap, alerts fired but weren't sent
>to syslog. This is the behavior that I want, so your idea worked.
>So, it seems that running snort in Daemon mode enables syslog
>logging via the LOCAL facility. I imagine that this is by design.
For what it's worth, here's the command line in the script I use
to start Snort1.7 on my system ( Solaris2.7 ):
snort -dD -h 111.222.333.444/24 -l $LOGPATH -c $RULESPATH/$RULESNAME -o
I think my variables make enough sense that you don't need me to
translate them. ;-) This arrangement works fine, in daemon mode,
and *without* logging to syslog.
Perhaps there is a problem with the RedHat implementation of Snort,
but it doesn't exist under Solaris.
Neil Dickey, Ph.D.
Northern Illinois University
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
More information about the Snort-users