[Snort-users] output alert_syslog

Matt Kettler mkettler at ...4108...
Tue Jan 14 11:45:02 EST 2003


reconfigure your syslogd to not log local5 for /var/log/messages by adding 
local5.none to the specifier for that logfile:

  *.err;*.notice;kern.debug;lpr.info;mail.crit;news.err;local5.none 
/var/log/messages

At 05:04 PM 1/14/2003 -0200, Giovanni P. Tirloni wrote:
>Hi,
>
>  I've configured snort 1.9.0 to use syslog and edited syslog.conf so it logs
>  local5.alert to /var/log/snort.alert but it's logging to that file AND
>  /var/log/messages. I'd like to log to snort.alert only.
>
>  Here is the relevant information:
>
>  snort.conf:
>
>  [...]
>  output alert_syslog: LOG_LOCAL5 LOG_ALERT
>  output log_unified: filename snort.log, limit 128
>  [...]
>
>
>  syslog.conf:
>
>  *.err;*.notice;kern.debug;lpr.info;mail.crit;news.err   /var/log/messages
>  security.*                                      /var/log/security
>  auth.notice;auth.info;authpriv.info             /var/log/auth.log
>  mail.info                                       /var/log/maillog
>  cron.*                                          /var/log/cron
>  *.emerg                                         *
>  local5.alert                                    /var/log/snort.alert
>  console.info                                    /var/log/console.log
>
>
>  # ls -l /var/log/snort.alert
>  -rw-r--r--  1 root  wheel  2015 Jan 14 16:45 snort.alert
>
>  # ls -l /var/log/snort/
>  -rw-r--r--  1 snort  snort  489509 Jan 14 16:54 scan.log
>  -rw-r--r--  1 snort  snort    1119 Jan 14 16:45 snort.alert
>  -rw-r--r--  1 snort  snort     452 Jan 14 12:56 snort.log.1042555093
>  -rw-r--r--  1 snort  snort     514 Jan 14 12:58 snort.log.1042556289
>  -rw-r--r--  1 snort  snort      24 Jan 14 16:40 snort.log.1042569610
>
>  I'm running snort with this command line:
>
>   /usr/local/bin/snort -D -c /usr/local/etc/snort.conf -i fxp0 -p -z -u 
> snort \
>   -g snort -m 022
>
>  Thanks in advance (and sorry if it is obvious),
>
>--
>Giovanni P. Tirloni
>gpt at ...8000...
>
>
>-------------------------------------------------------
>This SF.NET email is sponsored by: Take your first step towards giving
>your online business a competitive advantage. Test-drive a Thawte SSL
>certificate - our easy online guide will show you how. Click here to get
>started: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0027en
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list