[Snort-users] Logging Question

Rich Adamson radamson at ...2127...
Mon Jun 11 21:21:59 EDT 2001


> What is the differene between using the -s option to log to syslog and
> the output plugin:
> output alert_syslog: LOG_AUTH LOG_ALERT ?
> and should/could I be using both at the same time ??
> 

The "-s 10.0.0.1" option directs the syslog output to an IP address on
the default udp port 514.

The "output alert_syslog..." option is apparently supposed to set the
syslog Facility (LOG_AUTH) and Priority (LOG_ALERT) level used when sending
syslog messages. However, a recent analysis of the v1.7 source code 
indicates these two options (Facility and Priority) were never implemented
correctly (or it's incomplete code), and thus changing the Facility and/or
Priority using this mechanism does not function. The only way that I've 
found to change the Facility and/or Priority is by changing the source code
and recompiling.





More information about the Snort-users mailing list