[Snort-users] Syslog trouble

Rich Adamson radamson at ...2127...
Tue May 29 16:20:48 EDT 2001


 
> Im sure this is an easy question but its been giving me trouble for a while.
> 
> I can't seem to get anything to log to syslog.  Logging is fine in the 
> directories (Im using 1.7).
> 
> This is the command line:  snort -i eth1 -D -s -l /var/log/snort
> 
> in snort.conf Ive tried output: alert_syslog: LOG_AUTH LOG_INFO
> 
> I have also tried without that and still nothing.  Im testing with the rule
> 
> alert any any any <> any any (msg: "STUFF: ";)
> 
> 
> I'd like to see the alerts go to /var/log/messages.  My syslog.conf looks 
> to be ok.  Haven't changed it from the default (rh 7.1).
> 
> Please reply to my address as well (I use digests).  Thanks

Mike,

To have snort send syslog messages, the command line must include
"-s 10.1.1.1" as in...
  snort -i eth0 -s 10.1.1.1 -D ... etc

The LOG_AUTH and LOG_INFO parameters have no usefull purpose as it appears
the source code to handle changing these two parameters was never
implemented.

Rich





More information about the Snort-users mailing list