[Snort-users] logging to syslog

Chris Green cmg at ...671...
Wed Feb 20 08:15:25 EST 2002


Madhav Diwan <mdiwan at ...200...> writes:

> Is there a way to log alerts to the /var/log/secure file instead of the
> /var/log/messages file? 
>
>  I am using redhat 7.2  snort 1.8.3-5 
> and the following commandline in /etc/init.d/snortd:
>
> 	daemon /usr/sbin/snort -l /var/log/snort -d -D \
> 		 -i $INTERFACE -c /etc/snort/snort.conf
>
>  /etc/snort/snort.conf is configured to log to syslog 
>
>  output alert_syslog: LOG_AUTH LOG_ALERT
>

rh 7.2 syslog.conf:
# The authpriv file has restricted access.
authpriv.*                     /var/log/secure

try:
output alert_syslog: LOG_AUTHPRIV LOG_ALERT

according to rh 7.2 syslog(3),

 LOG_AUTH
        security/authorization messages (DEPRECATED Use LOG_AUTHPRIV instead)

 LOG_AUTHPRIV
              security/authorization messages (private)



obsd 3.0's

LOG_AUTH      The authorization system: login(1), su(1), getty(8), etc.

LOG_AUTHPRIV  The same as LOG_AUTH, but logged to a file readable only by
              selected individuals.

so it does seem atleast 2 people agree that AUTHPRIV stuff goes to
secure which is where trusted admins can look rather than pimply faced
youths.

> but the messages end up in the messages file
> and i want them to go to the secure file as they did in snort 1.7.
>-- 
Chris Green <cmg at ...671...>
To err is human, to moo bovine.




More information about the Snort-users mailing list