[Snort-users] output alert_syslog

Steve Halligan giermo at ...187...
Tue Jan 14 11:41:02 EST 2003


You need to add a local5.none to the messages line in
syslog.conf

...I think...

>Hi,
>
> I've configured snort 1.9.0 to use syslog and edited 
>syslog.conf so it logs
> local5.alert to /var/log/snort.alert but it's logging to
that file AND
> /var/log/messages. I'd like to log to snort.alert only.
> 
> Here is the relevant information:
> 
> snort.conf:
> 
> [...]
> output alert_syslog: LOG_LOCAL5 LOG_ALERT
> output log_unified: filename snort.log, limit 128
> [...]
>
>
> syslog.conf:
> 
> *.err;*.notice;kern.debug;lpr.info;mail.crit;news.err   
>/var/log/messages
> security.*
/var/log/security
> auth.notice;auth.info;authpriv.info
/var/log/auth.log
> mail.info
/var/log/maillog
> cron.*
/var/log/cron
> *.emerg                                         *
> local5.alert
/var/log/snort.alert
> console.info
/var/log/console.log
> 
> 
> # ls -l /var/log/snort.alert
> -rw-r--r--  1 root  wheel  2015 Jan 14 16:45 snort.alert
> 
> # ls -l /var/log/snort/
> -rw-r--r--  1 snort  snort  489509 Jan 14 16:54 scan.log
> -rw-r--r--  1 snort  snort    1119 Jan 14 16:45
snort.alert
> -rw-r--r--  1 snort  snort     452 Jan 14 12:56
snort.log.1042555093
> -rw-r--r--  1 snort  snort     514 Jan 14 12:58
snort.log.1042556289
> -rw-r--r--  1 snort  snort      24 Jan 14 16:40
snort.log.1042569610
> 
> I'm running snort with this command line:
> 
>  /usr/local/bin/snort -D -c /usr/local/etc/snort.conf -i
fxp0 
>-p -z -u snort \
>  -g snort -m 022
>
> Thanks in advance (and sorry if it is obvious),
> 
>--
>Giovanni P. Tirloni
>gpt at ...8000...
>
>
>-------------------------------------------------------
>This SF.NET email is sponsored by: Take your first step
towards giving 
>your online business a competitive advantage. Test-drive a
Thawte SSL 
>certificate - our easy online guide will show you how.
Click 
>here to get 
>started:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0027en
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list