[Snort-users] disable /var/log/snort logging

Joesph Bowling joeybowling at ...125...
Wed May 7 17:00:05 EDT 2003


Delete them


>From: "Nick White" <nwhite at ...9112...>
>CC: <snort-users at lists.sourceforge.net>
>Subject: RE: [Snort-users] disable /var/log/snort logging
>Date: Wed, 7 May 2003 16:48:13 -0700
>
>You're right, the -N option turns off packet logging.  Sure it doesn't
>write to the disk, but it turns off packet logging within mysql as well
>- not cool.  Surely there is a way to have snort log everything to mysql
>(even packet logging), without dumping data to the hard drive.  I just
>can't figure out how.  I'm starting snort with -b (binary logging)
>option, which takes care of it crashing after a few minutes under a
>really heavy load.  Even still, logging to the disk is a total waste
>because I'll never do anything with the binary logs.
>
>-----Original Message-----
>From: Anderson Johnston [mailto:andy at ...2878...]
>Sent: Tuesday, May 06, 2003 3:36 PM
>To: Nick White
>Cc: snort-users at lists.sourceforge.net
>Subject: Re: [Snort-users] disable /var/log/snort logging
>
>
>The -N option should suppress logging (while allowing alerts).
>
>Caveats:
>	1. I don't know if it will stop logs to mysql, too.
>	2. The option doesn't seem to be working on my
>		system  (Solaris 8) under Snort 2.0.
>
>					- Andy
>
>On Tue, 6 May 2003, Nick White wrote:
>
> > Hi All,
> > I'm fairly new with snort, so go easy on me.  I'm running snort and
> > logging to mysql just fine.  The problem is, it's also logging to
> > /var/log/snort.  I need to figure out how to disable this logging to
> > disk.  I've looked at all the switches, and I can't seem to figure it
> > out.  I tried -A none, but then it stopped alerting to mysql.  I also
> > tried -l /dev/null, but it didn't like that one.
> >
> > Snort starts as a service via:
> > /usr/local/bin/snort -u snort -g snort -d -D -c /etc/snort/snort.conf
> >
> > In snort.conf, I log to mysql with:
> > output database: alert, mysql, user=snortusr password=fakepass
> > dbname=snort host=localhost
> >
> > I'm trying to kill snort with as much data as I can throw at it, and
>it
> > always dies after a few minutes with:
> > May  6 14:54:34 localhost snort: FATAL ERROR: OpenLogFile() =>
> > fopen(/var/log/snort/10.10.1.30/UDP:138-138) log file: Not a directory
> >
> > But I KNOW that the snort user has full permission to /var/log/snort.
> > But I don't need logging to disk.  It's a waste.  I only want it to
>log
> > to mysql.
> >
> > Thanks for your help!
> > - nick white
> >
> >
> > -------------------------------------------------------
> > Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
> > The only event dedicated to issues related to Linux enterprise
>solutions
> > www.enterpriselinuxforum.com
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list
> >
>
>------------------------------------------------------------------------
>------
>** Andy Johnston (andy at ...2878...)          *            pager:
>410-678-8949  **
>** Manager of IT Security                 * PGP key:(afj2002)
>4096/8448B056 **
>** Office of Information Technology, UMBC *   4A B4 96 64 D9 B6 EF E3 21
>9A **
>** 410-455-2583 (v)/410-455-1065 (f)      *   46 1A 37 11 F5 6C 84 48 B0
>56 **
>------------------------------------------------------------------------
>------
>
>
>
>-------------------------------------------------------
>Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
>The only event dedicated to issues related to Linux enterprise solutions
>www.enterpriselinuxforum.com
>
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users

_________________________________________________________________
STOP MORE SPAM with the new MSN 8 and get 2 months FREE*  
http://join.msn.com/?page=features/junkmail





More information about the Snort-users mailing list