[Snort-users] Alert OR syslog?

Don Don at ...5881...
Thu Dec 5 11:38:04 EST 2002

RE: [Snort-users] Alert OR syslog?umm, with -s you need to put in the syslog
server address, so would become
/usr/local/bin/snort -c /etc/snort/snort.conf -I -A full -s blame_cmg -i rl0
would become
/usr/local/bin/snort -c /etc/snort/snort.conf -I -A full -s -i rl0

or you would put your syslog server IP addy there with the listening tcp
port number, works for me. for some reason its always required me to put in
the port number,


  -----Original Message-----
  From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Weiss, Jeffrey
  Sent: Thursday, December 05, 2002 9:57 AM
  To: 'Alberto Gonzalez'
  Cc: snort-users at lists.sourceforge.net
  Subject: RE: [Snort-users] Alert OR syslog?

  Hi, Alberto,
  Thanks for your response.
  Reasons for 3 types of logging (may not be good reasons):
  1. Binary format allows analysis tools be leveraged (snortsnarf).
  2. Alert log provides local easily perused/tailed indicator of nasties and
  3. Syslog entries can be directed off-server to a remote central logging
  I could work without the alert log but don't understand why enabling
syslog disables it.

  Not sure I understand your blame_cmg...new flag?

  -----Original Message-----
  From: Alberto Gonzalez [mailto:albertg at ...7149...]
  Sent: Thursday, December 05, 2002 2:00 PM
  Cc: snort-users at lists.sourceforge.net
  Subject: Re: [Snort-users] Alert OR syslog?

  In your command line, your doing binary logging (-b), full logging (-A
  full) and syslog (-s).
  I haven't tried todo both syslog and FULL (waste of time?).

  When I run it with the following command snort seems to run fine:

  /usr/local/bin/snort -c /etc/snort/snort.conf -I -A full -s blame_cmg -i

  So give that a try, im not sure why someone wants 3 logging mechanisms,
  but hey!


     - Alberto

  (sorry cmg for the syslog part :-)) <grin>

  Weiss, Jeffrey H. wrote:

  > I am wondering why I cannot get both an alert log written AND
  > syslogging to occur.
  > My command line invocation:
  > snort -b -c /usr/local/etc/snort/snort.conf -I -A full -l
  > /logs/UA/snort -s -i qfe0
  > Pertinent snort.conf(?):
  > output alert_syslog: LOG_ALERT
  > Is there something too obvious here?
  > Thanks!
  > Jeffrey Weiss

  The secret to success is to start from scratch and keep on scratching.

  This sf.net email is sponsored by:ThinkGeek
  Welcome to geek heaven.
  Snort-users mailing list
  Snort-users at lists.sourceforge.net
  Go to this URL to change user options or unsubscribe:
  Snort-users list archive:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20021205/2b802dde/attachment.html>

More information about the Snort-users mailing list