[Snort-users] Logs and alerts directed into a single file?
mkettler at ...4108...
Tue Sep 7 12:36:04 EDT 2004
At 01:30 PM 9/7/2004, Sconeboy The Magnificent wrote:
>I assume i am doing something wrong, but i cannot see a way to get
>snort to log alerts and 'log' to one and the same file,
>for example, i have a rule to diagnose http data across my network
>using the session:printable; parameter [F1]. if i use an 'alert' rule
>in my snort rules file it will log to alert for that rule to one file,
>and then the actual payload data to another file [F2]
>is it possible to log the alert and then the data immedietly after in one
Not that I'm awera of.
Also, for what it's worth, the text data logging mode is not recommended
for production use because it's outrageously slow and causes packet loss.
If you're going to do basic text mode alert logging, I'd seriously suggest
switching to tcpdump binary format for packet logs. If you later need the
packets decoded into text, you can run the files through tcpdump -rx, or a
decoder of your choice.
I'll admit this takes you further away from your desire for a collated
report from snort, but report formatting is best handled by post-processing
due to packet loss concerns. You might want to look at one or more data
analysis tools to help generate the report formats you want.
More information about the Snort-users