[Snort-users] disable /var/log/snort logging

Nick White nwhite at ...9112...
Thu May 8 09:11:07 EDT 2003


Thanks LCL for your suggestions and documentation references.  I now
better understand how snort treats alerts verses logs.  I've tried your
suggestion with the following line in my snort.conf:
output database: alert, mysql, log_null, user=snortusr password=fakepass
dbname=snort host=localhost

But it's still alerting to /var/log/snort.  Whenever I use the -N option
to start snort, it still alerts, but doesn't log any of the packet data.


Snort is starting with -u snort -g snort -d -D -b -c
/etc/snort/snort.conf.  I've tried removing -b, but it still alerts to
disk.  Any other suggestions that I can try?

Thanks again,
NW

-----Original Message-----
From: L. Christopher Luther [mailto:CLuther at ...6333...] 
Sent: Wednesday, May 07, 2003 8:49 PM
To: Nick White
Cc: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] disable /var/log/snort logging


Nick,  

Snort uses two output facilities - one for alerts and one for logs [0]
(a
must read).  Your snort.conf only specifies an output facility for the
alerts, so I'm thinking that Snort therefore falls back to its 'default'
logging facility (i.e., /var/log).  



More information about the Snort-users mailing list