[Snort-users] logging to syslog
mdiwan at ...200...
Wed Feb 20 10:34:06 EST 2002
Thank you .. That works quite well.
On Wed, 2002-02-20 at 11:14, Chris Green wrote:
Madhav Diwan <mdiwan at ...200...> writes:
> Is there a way to log alerts to the /var/log/secure file instead of
> /var/log/messages file?
> I am using redhat 7.2 snort 1.8.3-5
> and the following commandline in /etc/init.d/snortd:
> daemon /usr/sbin/snort -l /var/log/snort -d -D \
> -i $INTERFACE -c /etc/snort/snort.conf
> /etc/snort/snort.conf is configured to log to syslog
> output alert_syslog: LOG_AUTH LOG_ALERT
rh 7.2 syslog.conf:
# The authpriv file has restricted access.
output alert_syslog: LOG_AUTHPRIV LOG_ALERT
according to rh 7.2 syslog(3),
security/authorization messages (DEPRECATED Use LOG_AUTHPRIV
security/authorization messages (private)
LOG_AUTH The authorization system: login(1), su(1), getty(8), etc.
LOG_AUTHPRIV The same as LOG_AUTH, but logged to a file readable only
so it does seem atleast 2 people agree that AUTHPRIV stuff goes to
secure which is where trusted admins can look rather than pimply faced
> but the messages end up in the messages file
> and i want them to go to the secure file as they did in snort 1.7.
Chris Green <cmg at ...671...>
To err is human, to moo bovine.
Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. Wagner Weber & Williams
More information about the Snort-users