[Snort-users] Problems logging to syslog and mysqlsimultaneously

Don Don at ...5881...
Sat Jun 22 23:06:01 EDT 2002


your special, of course. you must have a special version of windows
i darn sure cant do it, but i may try the hack from Frank

Don


> >-----Original Message-----
> >From: snort-users-admin at lists.sourceforge.net
> >[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Michael
> >Steele
> >Sent: Friday, June 21, 2002 9:36 PM
> >To: 'Frank Knobbe'; snort-users at lists.sourceforge.net
> >Cc: Chris Reid
> >Subject: RE: [Snort-users] Problems logging to syslog and
> >mysqlsimultaneously
> >
> >
> >Frank,
> >
> >I'm running Windows and I am logging to local syslog using Snort.conf,
> >I'm not using the -s switch. I'm also logging to MySQL.
> >
> >I'm going to forward this to Chris Ried and see what he has to say about
> >this. This may be useful, but why am I able to log to the local syslog
> >using snort.conf and others are having problems?
> >
> >Michael Steele | System Engineer / System Administrator     
> >mailto:michaels at ...155...
> >http://www.silicondefense.com
> >
> >-----Original Message-----
> >From: snort-users-admin at lists.sourceforge.net
> >[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Frank
> >Knobbe
> >Sent: June 21, 2002 8:48 PM
> >To: Michael Steele
> >Cc: 'Don'; snort-users at lists.sourceforge.net
> >Subject: RE: [Snort-users] Problems logging to syslog and
> >mysqlsimultaneously
> >
> >On Wed, 2002-06-19 at 19:38, Michael Steele wrote:
> >> Don,
> >> 
> >> Hummm... This is bizarre... I have 37k alerts in my Syslog, so I know
> >it
> >> works. Are you sure you don't have some service turned off that is
> >> preventing the alerts from arriving? 
> >> 
> >> What version of Snort?
> >> 
> >> Do you have alerts in the syslog?
> >> 
> >> Can you send me your snort.conf?
> >
> >
> >Not at all bizarre. I think this affects only the Windows version.
> >Here's why. The syslog config in snort.conf is useless under Windows
> >machines since it does not specify an IP address of a syslog server.
> >Windows not have a native syslog thingy, so without specifying an IP
> >address, Snort doesn't log. Again, only under Windows. Under *nix, the
> >syslog config in snort.conf works fine.
> >
> >If you specify a syslog server with -s in the command line, you enable
> >Snort-win32 to log to syslog. However, the command line option overrides
> >the snort.conf, so other outputs don't work.
> >
> >The solution is to hack the code. You can have Snort accept the -s
> >option, and at the same time still use snort.conf outputs. So after the
> >hack, you can log to syslog and *SQL.
> >
> >In snort.c, withing ParseCmdLine, you'll find:
> >
> >#ifdef WIN32
> >            case 'E':                /* log alerts to Event Log */
> >                pv.syslog_flag = 1;
> >                pv.syslog_remote_flag = 0;
> >                DebugMessage(DEBUG_INIT, "Logging alerts to Event
> >Log\n");
> >                pv.alert_cmd_override = 1;
> >                break;
> >#endif
> >
> >Just remove the >pv.alert_cmd_override = 1;< and you can specify -s
> >without overriding the snort.conf.
> >
> >Regards,
> >Frank
> >
> >
> >
> >
> >
> >
> >-------------------------------------------------------
> >Sponsored by:
> >ThinkGeek at http://www.ThinkGeek.com/
> >_______________________________________________
> >Snort-users mailing list
> >Snort-users at lists.sourceforge.net
> >Go to this URL to change user options or unsubscribe:
> >https://lists.sourceforge.net/lists/listinfo/snort-users
> >Snort-users list archive:
> >http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >




More information about the Snort-users mailing list