[Snort-users] Syslog and Full Alerting

John_Delisle at ...1523... John_Delisle at ...1523...
Mon Mar 12 11:47:23 EST 2001


Quick update -

I've used the following with some success:

command line:
     snort -c /var/log/snort/rules/rules.170.153.0.0 -d -D -e -h
170.153.0.0/16 -i eth1

FYI - Because I'm using snorticus, the location of my logs change hourly.
There's an hourly cron job that calls snort with different params for log
directory each time.  I modified the code to echo the new log location to
/var/log/snort/rules/alert and I include it into my conf file

In my conf file I have the following:
     output alert_syslog: LOG_AUTH LOG_ALERT
     #Get ouput alert info from alert file
     include /var/log/snort/rules/alert

In /var/log/snort/alert, I have this at the moment (will change in an
hour..):
     output alert_full:
/var/log/snort/LOGS/hosnortice/20010312.10/170.153.0.0/alert


Anyhow, the results are close to what I want, I get syslog messaging, an
alert file in /var/log/snort/LOGS/hosnortice/20010312.10/170.153.0.0, but
all my packet logs are in /var/log/snort, not in the same directory as the
alert file.  How do I configure the directory for packet logs?

Any ideas?

John Delisle
Corporate Technology
Ceridian Canada Ltd
204-975-5909



                                                                                                                                   
                    Martin Roesch                                                                                                  
                    <roesch at ...421...>             To:     John_Delisle at ...1523...                                          
                    Sent by:                             cc:     snort-users at lists.sourceforge.net                                 
                    snort-users-admin at ...635...        Subject:     Re: [Snort-users] Syslog and Full Alerting                   
                    eforge.net                                                                                                     
                                                                                                                                   
                                                                                                                                   
                    2001/03/12 12:40 AM                                                                                            
                                                                                                                                   
                                                                                                                                   




Try using the -l option to specify a logging directory and let us know
if that works.  Additionally, make sure you're not specifying any
alerting options on the command line, specify them in the config file.

   -Marty

John_Delisle at ...1523... wrote:
>
> Is it possible to use syslog and full alterting at the same time?  I need
> syslog for notification/paging etc.  I need the full logs for analysis.
>
> Has anyone made this work?
>
> John Delisle
> Corporate Technology
> Ceridian Canada Ltd
> 204-975-5909
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users

--
Martin Roesch
roesch at ...421...
http://www.snort.org

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users








More information about the Snort-users mailing list