[Snort-users] disable /var/log/snort logging
nwhite at ...9112...
Thu May 8 11:46:42 EDT 2003
Whenever I use -N and change my output line in snort.conf to alert, it
creates /var/log/snort/alert and continues to write alerts there.
(without packet information).
If possible, I'd like snort to _only_ log alerts (with packet
information) to mysql. Another user suggested simply deleting the disk
logs, but even then, there is a lot of unnecessary overhead.
Basically what I'm trying to accomplish is this:
1. Log to mysql with full packet information for alerts. (done)
2. Not have snort write a lot of redundant data to the disk that already
exists in mysql.
Thanks for your kind suggestions. Any further ideas?
From: Bamm Visscher [mailto:bamm at ...539...]
Sent: Thursday, May 08, 2003 5:57 AM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] disable /var/log/snort logging
Attach the database plugin to the 'alert' facility vice the 'log'
facility when using -N.
output database: alert, postgresql, user=snort dbname=snort
output database: log, postgresql, user=snort dbname=snort
On Wed, May 07, 2003 at 04:48:13PM -0700, Nick White wrote:
> You're right, the -N option turns off packet logging. Sure it doesn't
> write to the disk, but it turns off packet logging within mysql as
> - not cool. Surely there is a way to have snort log everything to
> (even packet logging), without dumping data to the hard drive. I just
> can't figure out how. I'm starting snort with -b (binary logging)
> option, which takes care of it crashing after a few minutes under a
> really heavy load. Even still, logging to the disk is a total waste
> because I'll never do anything with the binary logs.
Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
The only event dedicated to issues related to Linux enterprise solutions
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
More information about the Snort-users