[Snort-users] disable /var/log/snort logging

L. Christopher Luther CLuther at ...6333...
Thu May 8 11:50:03 EDT 2003


Sorry, I didn't it explain better -- let me try again.  Try the following in

    output database: alert, mysql, user=snortusr password=fakepass
                     dbname=snort host=localhost    
    output log_null 

That is, you want *two* separate 'output ...' statements in snort.conf.  

This should send the Snort alert facility to MySQL and the log facility to
NULL.  If this doesn't work, then me thinks me smells a bug.  ;)  

Also, you shouldn't run Snort in daemon mode until you make sure things are
working.  It is my experience that Snort console messages are lost in daemon
mode, so the interactive mode will let you see messages Snort generates as
it parses and process the command line and snort.conf options.  

- Christopher

-----Original Message-----
From: Nick White [mailto:nwhite at ...9112...]
Sent: Thursday, May 08, 2003 12:11 PM
To: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] disable /var/log/snort logging

Thanks LCL for your suggestions and documentation references.  I now
better understand how snort treats alerts verses logs.  I've tried your
suggestion with the following line in my snort.conf:
output database: alert, mysql, log_null, user=snortusr password=fakepass
dbname=snort host=localhost

But it's still alerting to /var/log/snort.  Whenever I use the -N option
to start snort, it still alerts, but doesn't log any of the packet data.

Snort is starting with -u snort -g snort -d -D -b -c
/etc/snort/snort.conf.  I've tried removing -b, but it still alerts to
disk.  Any other suggestions that I can try?

Thanks again,

-----Original Message-----
From: L. Christopher Luther [mailto:CLuther at ...6333...] 
Sent: Wednesday, May 07, 2003 8:49 PM
To: Nick White
Cc: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] disable /var/log/snort logging


Snort uses two output facilities - one for alerts and one for logs [0]
must read).  Your snort.conf only specifies an output facility for the
alerts, so I'm thinking that Snort therefore falls back to its 'default'
logging facility (i.e., /var/log).  

More information about the Snort-users mailing list