[Snort-users] disable /var/log/snort logging

Nick White nwhite at ...9112...
Thu May 8 18:52:05 EDT 2003


That did it! Funny, the first time I tried output log_null on it's own
line, snort wouldn't start... I must have done something wrong that
first time.  So I figured maybe you meant to put it on the same line,
and snort started fine once I did that.  I tried it again on it's own
line, and snort started.  Must be the gremlins.

Anyway snort is logging to mysql beautifully, and no redundant disk
logging.  Many many thanks to LCL and those here on snort-users.

NW 


-----Original Message-----
From: L. Christopher Luther [mailto:CLuther at ...6333...] 
Sent: Thursday, May 08, 2003 10:27 AM
To: Nick White
Cc: Snort-Users (E-mail)
Subject: RE: [Snort-users] disable /var/log/snort logging


Nick, 

Sorry, I didn't it explain better -- let me try again.  Try the
following in
snort.conf:  

    output database: alert, mysql, user=snortusr password=fakepass
                     dbname=snort host=localhost    
    output log_null 

That is, you want *two* separate 'output ...' statements in snort.conf.


This should send the Snort alert facility to MySQL and the log facility
to
NULL.  If this doesn't work, then me thinks me smells a bug.  ;)  

Also, you shouldn't run Snort in daemon mode until you make sure things
are
working.  It is my experience that Snort console messages are lost in
daemon
mode, so the interactive mode will let you see messages Snort generates
as
it parses and process the command line and snort.conf options.  


- Christopher


-----Original Message-----
From: Nick White [mailto:nwhite at ...9112...]
Sent: Thursday, May 08, 2003 12:11 PM
To: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] disable /var/log/snort logging


Thanks LCL for your suggestions and documentation references.  I now
better understand how snort treats alerts verses logs.  I've tried your
suggestion with the following line in my snort.conf:
output database: alert, mysql, log_null, user=snortusr password=fakepass
dbname=snort host=localhost

But it's still alerting to /var/log/snort.  Whenever I use the -N option
to start snort, it still alerts, but doesn't log any of the packet data.


Snort is starting with -u snort -g snort -d -D -b -c
/etc/snort/snort.conf.  I've tried removing -b, but it still alerts to
disk.  Any other suggestions that I can try?

Thanks again,
NW

-----Original Message-----
From: L. Christopher Luther [mailto:CLuther at ...6333...] 
Sent: Wednesday, May 07, 2003 8:49 PM
To: Nick White
Cc: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] disable /var/log/snort logging


Nick,  

Snort uses two output facilities - one for alerts and one for logs [0]
(a
must read).  Your snort.conf only specifies an output facility for the
alerts, so I'm thinking that Snort therefore falls back to its 'default'
logging facility (i.e., /var/log).  



More information about the Snort-users mailing list