[Snort-users] logging directory "/var/log/snort"

sgt_b sgt_b at ...11733...
Sat May 1 15:39:01 EDT 2004


Hi Corey,

Well as the error states /var/log/snort may not exist or may have 
incorrect permissions set up. since you're running snort as root, I'd 
wager a guess that /var/log/snort simply doesn't exist. This is the 
default logging directory when snort is run. So you can either create 
that directory, or use the -l switch to specify another logging 
location. (ie `snort -v -T -c /etc/snort/snort.conf -l ./' to log to the 
current directory or `snort -v -T -c /etc/snort/snort.conf -l 
/path/to/logging/directory' to log to a directory of your choosing.

Hope this helps!

Corey Rock wrote:

> Greetings all!
>
> Anybody else see this problem?  Help!
>
> [root at ...11745... etc]# snort -v -T -c /etc/snort/snort.conf
> Running in IDS mode
> Log directory = /var/log/snort
> ERROR:
> [!] ERROR: Can not get write access to logging directory 
> "/var/log/snort".
> (directory doesn't exist or permissions are set incorrectly
> or it is not a directory at all)
>
> ___________
>
> why does it think log dir is /var/log/snort? conf file says log to db??!!
> I've configured snort to run many times before, but this fresh install 
> baffles me!
>
> 1.  configured to log to mysql, as per conf below
> 2.  confirmed mysql running, access with specified credentials to db 
> functions
> 3.  snort runs fine in command line mode
> 4.  if I simply create the /var/log/snort directory, the test of the 
> conf file succeeds:
>
> Version 2.1.2 (Build 25)
> By Martin Roesch (roesch at ...1935..., www.snort.org)
>
> Snort sucessfully loaded all rules and checked all rule chains!
> Final Flow Statistics
> ,----[ FLOWCACHE STATS ]----------
> Memcap: 10485760 Overhead Bytes 16400 used(%0.156403)/blocks (16400/1) 
> Overhead
> blocks: 1 Could Hold: (0)
> IPV4 count: 0 frees: 0 low_time: 0, high_time: 0, diff: 0h:00:00s
>    finds: 0 reversed: 0(%0.000000)
>    find_sucess: 0 find_fail: 0 percent_success: (%0.000000) new_flows: 0
> database: Closing connection to database "
> Snort exiting
>
> ________________________
>
>
> /etc/snort/snort.conf:
>
> # Step #3: Configure output plugins
> #
> # output <name_of_plugin>: <configuration_options>
> #
> #alert_syslog: log alerts to syslog
> # ----------------------------------
> # Use one or more syslog facilities as arguments.
> # [Unix flavours should use this format...]
> #output alert_syslog: LOG_AUTH LOG_ALERT
> #
> # log_tcpdump: log packets in binary tcpdump format
> # -------------------------------------------------
> # The only argument is the output file name.
> #
> # output log_tcpdump: tcpdump.log
>
> # database: log to a variety of databases
> # ---------------------------------------
> # See the README.database file for more information about configuring
> # and using this plugin.
> #
> output database: log, mysql, user=snort password=xxxx dbname=snort 
> host=lo
> calhost
> # output database: alert, postgresql, user=snort dbname=snort
> # output database: log, odbc, user=snort dbname=snort
> # output database: log, mssql, dbname=snort user=snort password=test
> # output database: log, oracle, dbname=snort user=snort password=test
>
> Thanks for any help!
>
> Regards,
>
> Corey
>
> _________________________________________________________________
> Check out the coupons and bargains on MSN Offers! 
> http://youroffers.msn.com
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: Oracle 10g
> Get certified on the hottest thing ever to hit the market... Oracle 
> 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. 
> http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>





More information about the Snort-users mailing list