[Snort-users] Can't put log message to the special directory
mkettler at ...4108...
Tue Sep 28 08:55:28 EDT 2004
I think you are missing one minor concept of Snort. Snort has alerts, and
logs. Both. Alerts contain rule matches, logs contain packet captures.
Using your "output alert_fast: /home/snort/fst.log" you've set where your
ALERTS go, but not where your logs go.
The -l command line specifies where both go. And the default format for
logs is ip-hierarchy. However, this is IN ADDITION to the alert file.
Might i suggest switching to tcpdump binary logging or unified logging for
your packet captures:
output alert_fast: /home/snort/fst.log
output log_tcpdump: /home/snort/tcpdump.log
This will give you two files, one with your fast mode alerts, and one
fast-written binary log of packets that you can later read with tcpdump -r.
At 10:06 PM 9/27/2004, Peixiao Guo wrote:
>output alert_fast: /home/snort/fst.log
>log tcp any any -> any 80 (flags:S;)
>I just want to put the alert_fast message to the file
>/home/snort/fst.log, but I will get an error if I run this command:
>snort c snort.conf d
>the err messages as below:
>Running in IDS mode
>Log directory = /var/log/snort
>[!] ERROR: Can not get write access to logging directory "/var/log/snort".
>(directory doesn't exist or permissions are set incorrectly
>or it is not a directory at all)
>Fatal Error, Quitting..
>When I run this command:
>snort c snort.conf dl /home/snort/
>then all output message will be recorded in IP hierarchy in /home/snort
>I m wandering how to log the output message to a /home/snort/fst.log file
>Can any senior one give me a directive?
>Thanks very very much!
More information about the Snort-users