[Snort-users] Alert vs. Log?
nlindq at ...3834...
Mon Mar 4 15:04:03 EST 2002
Okay, I'm confused.
What exactly is the difference between "log" and "alert?" I'm using
snort 1.8.3 with the following output configuration in
output database: log, mysql, user=[user] password=[password]
Snort is launched from a SysV init script as follows:
daemon /usr/local/bin/snort -u snort -g snort -d -D \
-i $INTERFACE -c /etc/snort/snort.conf
Now, I was under the impression that logging to a database was the
desired behaviour, and that doing so would override the default
logging to syslog, text file etc. However, alerts are still being
recorded in /var/log/snort/alert in plain ASCII. I don't want 'em
there; I'm using ACID to look at the alerts which are logged in the
So how do I convince snort that I don't want ASCII alerts? If I add
"-A none" to the snort command line, then *all* logging (including
the database) is turned off, not just alerts. I would have thought
I'd need "-N" on the command line to turn off logging, but apparently
not. If I switch the output database definition to "alert" instead
of "log", then I don't get all the details about IP addresses, etc.
Nels Lindquist <*>
Information Systems Manager
Morningstar Air Express Inc.
More information about the Snort-users