[Snort-users] alert_syslog

Owen McCusker mccusker at ...10962...
Fri Feb 6 12:33:04 EST 2004


On a Suse box I do the following

1) in snort.conf i set up snort to log using the local6 syslog log facility
LOG_LOCAL6 LOG_ALERT

do a man on syslogd and search for AUTH to get of list of log facilities, and
and idea of how they work.

2) i setup syslogd via syslog.conf to redirect local6.* to 
/var/log/snort-messages
local6.*                              -/var/log/snort-messages

3) i update the log rotation script to manange the new log file
/etc/logrotate.d/syslog

add in /var/log/snort-messages

4) SIGUP syslogd to reread in conf file.
kill -s HUP xxxx

where xxxx is the pid.

5) restart snort, if it runs as a chrooted user.

OpenBSD boxes have a different flavor for rotating logs
they use newsyslog.conf, but the syslog log facilities should be similar.

Owen



>I actually tried that before, it did not work for the switch 
>command.  Does anyone have  any other ideas on how to change the 
>syslog file?
>
>Thanks again,
>Peggy
>
>Josh Berry wrote:
>
>>You can configure your syslog.conf file with:
>>
>>auth.alert       /var/log/(whatever_you_want_to_call_the_file)
>>
>>and then restart syslog.  I am not sure if this works with the command
>>line switch but it works if you use the syslog configuration in your
>>snort.conf file.
>>
>>
>>>Hi,
>>>
>>>Does anyone know how to sends alerts to some other file other than to
>>>the default syslog file (when using the -s switch command line)?
>>>
>>>Thanks in advance,
>>>Peggy
>>>
>>>
>>>
>>>-------------------------------------------------------
>>>The SF.Net email is sponsored by EclipseCon 2004
>>>Premiere Conference on Open Tools Development and Integration
>>>See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
>>>http://www.eclipsecon.org/osdn
>>>_______________________________________________
>>>Snort-users mailing list
>>>Snort-users at lists.sourceforge.net
>>>Go to this URL to change user options or unsubscribe:
>>>https://lists.sourceforge.net/lists/listinfo/snort-users
>>>Snort-users list archive:
>>>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>>   
>>>
>>
>>
>>Thanks,
>>Josh Berry, CISSP
>>CTO, VP of Product Development
>>LinkNet-Solutions
>>469-831-8543
>>josh.berry at ...10268...
>>
>>
>>
>>-------------------------------------------------------
>>The SF.Net email is sponsored by EclipseCon 2004
>>Premiere Conference on Open Tools Development and Integration
>>See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
>>http://www.eclipsecon.org/osdn
>>_______________________________________________
>>Snort-users mailing list
>>Snort-users at lists.sourceforge.net
>>Go to this URL to change user options or unsubscribe:
>>https://lists.sourceforge.net/lists/listinfo/snort-users
>>Snort-users list archive:
>>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
>
>
>-------------------------------------------------------
>The SF.Net email is sponsored by EclipseCon 2004
>Premiere Conference on Open Tools Development and Integration
>See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
>http://www.eclipsecon.org/osdn
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list