[Snort-users] logging directory "/var/log/snort"

sgt_b sgt_b at ...11733...
Sat May 1 15:53:04 EDT 2004


Corey,

Sorry, forgot to mention this in my previous mail.

Snort still needs a place to put the 'alert' file when you log to a 
database. The line in your snort.conf specifies the use of the "log" 
action in your output plugin. So it still needs to send the "alert" to 
its logging location (default /var/log/snort).

You can set the action event in the output plugin to "alert" as well. 
Unfortunately, I don't regularly use snort to output to a db, so I can't 
tell you which action event is better, log or alert, or if you can use 
them at the same time. In my limited work with snort and databases, I've 
always used the log action event, and let the alert file get generated 
in /var/log/snort.

At any rate, that's why snort is still asking for /var/log/snort when 
you're logging to a database.

Corey Rock wrote:

> Greetings all!
>
> Anybody else see this problem?  Help!
>
> [root at ...11745... etc]# snort -v -T -c /etc/snort/snort.conf
> Running in IDS mode
> Log directory = /var/log/snort
> ERROR:
> [!] ERROR: Can not get write access to logging directory 
> "/var/log/snort".
> (directory doesn't exist or permissions are set incorrectly
> or it is not a directory at all)
>
> ___________
>
> why does it think log dir is /var/log/snort? conf file says log to db??!!
> I've configured snort to run many times before, but this fresh install 
> baffles me!
>
> 1.  configured to log to mysql, as per conf below
> 2.  confirmed mysql running, access with specified credentials to db 
> functions
> 3.  snort runs fine in command line mode
> 4.  if I simply create the /var/log/snort directory, the test of the 
> conf file succeeds:
>
> Version 2.1.2 (Build 25)
> By Martin Roesch (roesch at ...1935..., www.snort.org)
>
> Snort sucessfully loaded all rules and checked all rule chains!
> Final Flow Statistics
> ,----[ FLOWCACHE STATS ]----------
> Memcap: 10485760 Overhead Bytes 16400 used(%0.156403)/blocks (16400/1) 
> Overhead
> blocks: 1 Could Hold: (0)
> IPV4 count: 0 frees: 0 low_time: 0, high_time: 0, diff: 0h:00:00s
>    finds: 0 reversed: 0(%0.000000)
>    find_sucess: 0 find_fail: 0 percent_success: (%0.000000) new_flows: 0
> database: Closing connection to database "
> Snort exiting
>
> ________________________
>
>
> /etc/snort/snort.conf:
>
> # Step #3: Configure output plugins
> #
> # output <name_of_plugin>: <configuration_options>
> #
> #alert_syslog: log alerts to syslog
> # ----------------------------------
> # Use one or more syslog facilities as arguments.
> # [Unix flavours should use this format...]
> #output alert_syslog: LOG_AUTH LOG_ALERT
> #
> # log_tcpdump: log packets in binary tcpdump format
> # -------------------------------------------------
> # The only argument is the output file name.
> #
> # output log_tcpdump: tcpdump.log
>
> # database: log to a variety of databases
> # ---------------------------------------
> # See the README.database file for more information about configuring
> # and using this plugin.
> #
> output database: log, mysql, user=snort password=xxxx dbname=snort 
> host=lo
> calhost
> # output database: alert, postgresql, user=snort dbname=snort
> # output database: log, odbc, user=snort dbname=snort
> # output database: log, mssql, dbname=snort user=snort password=test
> # output database: log, oracle, dbname=snort user=snort password=test
>
> Thanks for any help!
>
> Regards,
>
> Corey
>
> _________________________________________________________________
> Check out the coupons and bargains on MSN Offers! 
> http://youroffers.msn.com
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: Oracle 10g
> Get certified on the hottest thing ever to hit the market... Oracle 
> 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. 
> http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>





More information about the Snort-users mailing list