[Snort-Users] differentiate between eth0 and eth1 in logs
mkettler at ...4108...
Fri Apr 2 08:13:03 EST 2004
At 08:52 AM 4/2/2004, Jim Hendrick wrote:
>There was some talk about a year ago about allowing the user to specify what
>syslog facility snort would use. I don't think this made it into the code,
>but adding it should not be too hard.
>Other possibilities are to log to two separate files (the -l flag) and then
>parsing those with something to separate the alerts.
It's in snort 2.1, and may also be in earlier versions.. it's just a
parameter to the output plugin in snort.conf
To quote snort.conf:
# [Unix flavours should use this format...]
# output alert_syslog: LOG_AUTH LOG_ALERT
And spo_alert_syslog.c has code to support this...
So, he could do the two separate config files idea I posted earlier, and
still use syslog.. one logging to LOG_LOCAL5 and one to LOG_LOCAL4.. then
configure syslog to dump them into separate logfiles. (and before anyone
asks: No, snort can't tell syslog what file to use.. that's not how syslog
More information about the Snort-users