[Snort-users] Logging not working
gewasiuk at ...3392...
Thu Sep 20 22:28:03 EDT 2001
On Thu, 20 Sep 2001, Ed Kasky wrote:
> At 12:39 AM 9/21/2001 -0400, Gordon Ewasiuk wrote:
> >On Thu, 20 Sep 2001, Ed Kasky wrote:
> >touch /var/log/snort/alert
> >then restart snort.
> Did just that - had no effect. It did create another set of snort.alert
> and snort.log though - and I noticed that the older ones had something in
Got my wires crossed. I'm doing high-perf config which logs to
/var/log/snort/alert in ASCII text.
> 2096 Sep 20 21:44 0920 at ...3540...
> 4096 Sep 20 21:08 0920 at ...3541...
> 0 Sep 20 21:44 0920 at ...3543...
> 0 Sep 20 21:44 0920 at ...3544...
> But - when I tried to view them I get the following:
> "0920 at ...3540..." may be a binary file. See it anyway?
> Is this a database file????
Appears so. You got a '-b' on your snort cmd line? that logs to a binary
file. Think you gotta replay those like tcpdump. Logging to binary file
is faster (says docs). To replay the binary file and view stuff:
quoting from snort.org:
To read this file back and break out the data in the familiar Snort
format, just rerun Snort on the data file with the "-r" option and the
other options you would normally use. For example:
Also, if you want to log to ascii text file, try:
<path to snort> -b -A fast -c <path to snort.conf>
That should log to /var/log/snort/alert in ASCII text.
More information about the Snort-users