[Snort-users] Syslog trouble
jsage at ...2022...
Wed May 30 09:32:45 EDT 2001
I was surprised at the -s 127.0.0.1 syntax (somebody else had 10.0.0.1 I
I'm not seeing how man snort talks about the switch -s in a way that
makes it want an IP after it...
One thing I've noticed is that when you make the transition to using
snort.conf, a lot of the command line switches are contradictory, and
don't generate error messages but don't *work*, either ;-)
...anyway, how's /etc/syslog.conf set up?
cd to /var/log and try "grep snort messages" or "grep snort daemon" and
see if you can find anything..
If you say ps ax are you seeing klogd and syslogd running?
Is anything getting logged at all?
FinchHaven, Vashon Island, WA, USA
mailto:jsage at ...2022...
"The web is so, like, five minutes ago..."
Michael J Clark wrote:
> Im using RH7.1. As per the previous message, I tried -s 127.0.0.1 and
> no luck, get a parse error. I tried making a daemon entry and changing
> it to LOG_DAEMON. Still no luck :(
>> You don't say what OS you're using, but I'm not sure that matters a lot
>> (well, it *may* matter some, but I dunno.. ;-)
>> Under Linux 2.2.14 I have in snort.conf:
>> # Use one or more syslog facilities as arguments
>> # DAEMON = facility; ALERT = priority at man syslog.conf(5)
>> output alert_syslog: LOG_DAEMON LOG_ALERT
>> And in /etc/syslog.conf I have:
>> daemon.* /var/log/daemon
>> mail.none;news.none;authpriv.none /var/log/messages
>> Messages appear specifically in /var/log/messages and /var/log/daemon
>> And messages are picked up out of those by Psionic's logcheck and mailed
>> to me on several boxen..
>> snort command line:
>> snort -b -i ppp0 -c /usr/local/snort-1.7/snort.conf &
>> - John
>> John Sage
>> FinchHaven, Vashon Island, WA, USA
>> mailto:jsage at ...2022...
>> "The web is so, like, five minutes ago..."
>> Michael J Clark wrote:
>>> Hey guys,
>>> Im sure this is an easy question but its been giving me trouble for a while.
>>> I can't seem to get anything to log to syslog. Logging is fine in the
>>> directories (Im using 1.7).
More information about the Snort-users