[Snort-users] RE: Alert OR syslog?

L. Christopher Luther CLuther at ...6333...
Fri Dec 6 09:58:02 EST 2002


Snort's command line directives sometimes do "strange" (my opinion only)
things, so it is possible that by specifying two alert facilities on the
command line, one is taking precedence over the other.  

Instead, I use output directives in the snort.conf file to specify multiple
log and/or alert facilities.  Have you tried placing the following in your
snort.conf:  

output alert_full: alert.ids
alert_syslog: LOG_AUTH LOG_ALERT

And removing the "-A fast" and "-s" command line options?  This will alert
first to the ASCII file alert.ids, then to the syslog facility.  


- Christopher


-----Original Message-----
From: "Weiss, Jeffrey H." <Jeffrey.Weiss at ...7679...>
To: snort-users at lists.sourceforge.net
Date: Thu, 5 Dec 2002 08:51:05 -0700 
Subject: Alert OR syslog?

I am wondering why I cannot get both an alert log written AND syslogging to
occur.

My command line invocation: 
snort -b -c /usr/local/etc/snort/snort.conf -I -A full -l /logs/UA/snort -s
-i qfe0

Pertinent snort.conf(?):
output alert_syslog: LOG_ALERT

Is there something too obvious here?
Thanks!
Jeffrey Weiss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20021206/da443305/attachment.html>


More information about the Snort-users mailing list