[Snort-users] Alert OR syslog?

Weiss, Jeffrey H. Jeffrey.Weiss at ...7679...
Thu Dec 5 09:54:04 EST 2002


Hi, Alberto,
Thanks for your response.
Reasons for 3 types of logging (may not be good reasons):
1. Binary format allows analysis tools be leveraged (snortsnarf).
2. Alert log provides local easily perused/tailed indicator of nasties and
falsies.
3. Syslog entries can be directed off-server to a remote central logging
server.
I could work without the alert log but don't understand why enabling syslog
disables it.

Not sure I understand your blame_cmg...new flag?
Thanks,
Jeffrey

-----Original Message-----
From: Alberto Gonzalez [mailto:albertg at ...7149...]
Sent: Thursday, December 05, 2002 2:00 PM
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Alert OR syslog?


In your command line, your doing binary logging (-b), full logging (-A 
full) and syslog (-s).
I haven't tried todo both syslog and FULL (waste of time?).

When I run it with the following command snort seems to run fine:

/usr/local/bin/snort -c /etc/snort/snort.conf -I -A full -s blame_cmg -i rl0

So give that a try, im not sure why someone wants 3 logging mechanisms, 
but hey!

Cheers!

   - Alberto

(sorry cmg for the syslog part :-)) <grin>


Weiss, Jeffrey H. wrote:

> I am wondering why I cannot get both an alert log written AND 
> syslogging to occur.
>
> My command line invocation:
> snort -b -c /usr/local/etc/snort/snort.conf -I -A full -l 
> /logs/UA/snort -s -i qfe0
>
> Pertinent snort.conf(?):
> output alert_syslog: LOG_ALERT
>
> Is there something too obvious here?
> Thanks!
> Jeffrey Weiss
>

-- 
The secret to success is to start from scratch and keep on scratching.




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20021205/c4572cb5/attachment.html>


More information about the Snort-users mailing list