[Snort-users] ASCII logging
bmccarty at ...5196...
Mon Jun 24 15:28:03 EDT 2002
I've been successfully using snort for several months. But, I have yet to
really understand the command-line and configuration-file options related
to logging. In particular, I want snort to generate alerts and perform
binary logging to a specified file and directory. But, it persists on
generating unwanted ASCII logs, which waste disc space and CPU cycles.
My snort invocation is:
daemon /usr/local/bin/snort \
-c $CDIR \
-i $INTERFACE \
-l $DIRBASE/$WEEK/$DATE \
-L $FILE \
And, the relevant contents of snort's configuration file are:
output alert_syslog: LOG_LOCAL1 LOG_INFO
output alert_full: /space1/snort/snort-full
output alert_fast: /space1/snort/snort-fast
log tcp any any <> $HOME_NET any (msg: "Unmatched TCP";session: printable;)
log udp any !8116 <> $HOME_NET any (msg: "Unmatched UDP";session:
log icmp any any <> $HOME_NET any (msg: "Unmatched ICMP";session:
I thought that the -b flag would dispense with ASCII logging. What am I
I realize that having both full and fast alerts is not ideal. But, for
several reasons I find it convenient; so, I prefer to continue generating
the redundant alerts along with the system log entries. It's only the ASCII
logs I want to ditch.
This is snort 1.8.6 (Build 105), under Red Hat Linux 7.2, installed via
tarball rather than RPM.
More information about the Snort-users