[Snort-Users] differentiate between eth0 and eth1 in logs

Matt Kettler mkettler at ...4108...
Fri Apr 2 08:13:03 EST 2004


At 08:52 AM 4/2/2004, Jim Hendrick wrote:
>There was some talk about a year ago about allowing the user to specify what
>syslog facility snort would use. I don't think this made it into the code,
>but adding it should not be too hard.
>
>Other possibilities are to log to two separate files (the -l flag) and then
>parsing those with something to separate the alerts.

It's in snort 2.1, and may also be in earlier versions.. it's just a 
parameter to the output plugin in snort.conf

To quote snort.conf:

# [Unix flavours should use this format...]
# output alert_syslog: LOG_AUTH LOG_ALERT

And spo_alert_syslog.c has code to support this...

So, he could do the two separate config files idea I posted earlier, and 
still use syslog.. one logging to LOG_LOCAL5 and one to LOG_LOCAL4.. then 
configure syslog to dump them into separate logfiles. (and before anyone 
asks: No, snort can't tell syslog what file to use.. that's not how syslog 
works)






More information about the Snort-users mailing list