[Snort-users] how do I stop snort logging to /var/log/snort and only the databa se?

Erik Melander Emelander at ...3910...
Sat Oct 27 10:46:02 EDT 2001

My environment consists of 2 machines: a sensor and an analyzer.  The sensor
is running snort in packet
sniffing mode and logging to a binary tcpdump file that every hour is pulled
off the sensor from the analyzer
via scp.  On the analyzer the binary tcpdump file is read in using the
following syntax:

snort -c /etc/snort/sensor.snort.conf -r tcp.2001102515

I have configured my logging as such:

output alert_syslog: LOG_AUTH LOG_ALERT LOG_PID
output database: alert, mysql, user=XXXXXX password=XXXXXX dbname=snort
host=localhost sensor_name=XXXXXX

While snort is logging to the database as I would expect, it is also dumping
data into the /var/log/snort directory in the form
of IP address named sub-directories with alerts contained in said
directories.  Is there a switch or a parameter in my
snort.conf that I can use to prevent this extraneous logging?  If I have
missed something in the readmes and FAQ
please direct me to the appropriate section.  Thanks!

More information about the Snort-users mailing list