[Snort-users] Can't put log message to the special directory

Matt Kettler mkettler at ...4108...
Tue Sep 28 08:55:28 EDT 2004


I think you are missing one minor concept of Snort. Snort has alerts, and 
logs. Both. Alerts contain rule matches, logs contain packet captures.

Using your "output alert_fast: /home/snort/fst.log" you've set where your 
ALERTS go, but not where your logs go.

The -l command line specifies where both go. And the default format for 
logs is ip-hierarchy. However, this is IN ADDITION to the alert file.

Might i suggest switching to tcpdump binary logging or unified logging for 
your packet captures:

         output alert_fast: /home/snort/fst.log
         output log_tcpdump: /home/snort/tcpdump.log

This will give you two files, one with your fast mode alerts, and one 
fast-written binary log of packets that you can later read with tcpdump -r.

At 10:06 PM 9/27/2004, Peixiao Guo wrote:
>output alert_fast: /home/snort/fst.log
>log tcp any any -> any 80 (flags:S;)
>I just want to put the “alert_fast” message to the file 
>/home/snort/fst.log, but I will get an error if I run this command:
>snort –c snort.conf –d
>the err messages as below:
>Running in IDS mode
>Log directory = /var/log/snort
>ERROR:
>[!] ERROR: Can not get write access to logging directory "/var/log/snort".
>(directory doesn't exist or permissions are set incorrectly
>or it is not a directory at all)
>Fatal Error, Quitting..
>When I run this command:
>snort –c snort.conf –dl /home/snort/
>then all output message will be recorded in IP hierarchy in /home/snort 
>directory.
>
>I m wandering how to log the output message to a /home/snort/fst.log file
>Can any senior one give me a directive?
>Thanks very very much!





More information about the Snort-users mailing list