[Snort-users] disable /var/log/snort logging
bamm at ...539...
Thu May 8 11:59:49 EDT 2003
Are you sure the db output plugin is the only one enabled in your snort.conf and what switches are you using to start snort?
`grep -v '^#' snort.conf | grep output`
On Thu, May 08, 2003 at 10:18:36AM -0700, Nick White wrote:
> Whenever I use -N and change my output line in snort.conf to alert, it
> creates /var/log/snort/alert and continues to write alerts there.
> (without packet information).
> If possible, I'd like snort to _only_ log alerts (with packet
> information) to mysql. Another user suggested simply deleting the disk
> logs, but even then, there is a lot of unnecessary overhead.
> Basically what I'm trying to accomplish is this:
> 1. Log to mysql with full packet information for alerts. (done)
> 2. Not have snort write a lot of redundant data to the disk that already
> exists in mysql.
> Thanks for your kind suggestions. Any further ideas?
> -----Original Message-----
> From: Bamm Visscher [mailto:bamm at ...539...]
> Sent: Thursday, May 08, 2003 5:57 AM
> To: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] disable /var/log/snort logging
> Attach the database plugin to the 'alert' facility vice the 'log'
> facility when using -N.
> For example,
> output database: alert, postgresql, user=snort dbname=snort
> output database: log, postgresql, user=snort dbname=snort
> On Wed, May 07, 2003 at 04:48:13PM -0700, Nick White wrote:
> > You're right, the -N option turns off packet logging. Sure it doesn't
> > write to the disk, but it turns off packet logging within mysql as
> > - not cool. Surely there is a way to have snort log everything to
> > (even packet logging), without dumping data to the hard drive. I just
> > can't figure out how. I'm starting snort with -b (binary logging)
> > option, which takes care of it crashing after a few minutes under a
> > really heavy load. Even still, logging to the disk is a total waste
> > because I'll never do anything with the binary logs.
> Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
> The only event dedicated to issues related to Linux enterprise solutions
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users