[Snort-users] problems with snort logging to both database and /var/log/snort

Erik Melander Emelander at ...3910...
Thu Oct 25 14:32:07 EDT 2001

My environment consists of 2 machines: a sensor and an analyzer.  The sensor
is running snort in packet
sniffing mode and logging to a binary tcpdump file that every hour is pulled
off the sensor from the analyzer
via scp.  On the analyzer the binary tcpdump file is read in using the
following syntax:

snort -c /etc/snort/sensor.snort.conf -r tcp.2001102515

I have configured my logging as such:

output alert_syslog: LOG_AUTH LOG_ALERT LOG_PID
output database: alert, mysql, user=XXXXXX password=XXXXXX dbname=snort
host=localhost sensor_name=XXXXXX

While snort is properly logging to the database, it is also dumping data
into the /var/log/snort directory in the form
of IP address named sub-directories with alerts contained in said
directories.  Is there a switch or a parameter in my
snort.conf that I can use to prevent this extraneous logging?  Thanks!

More information about the Snort-users mailing list