[Snort-users] syslog output problem

Terry td3201 at ...11827...
Thu Mar 12 11:57:15 EDT 2009


Thank you for your response.  I modified the command line so those
options are no longer in there:
/usr/sbin/snort -d -D -i eth1 -s -u snort -g snort -c
/etc/snort/snort.conf -l /var/log/snort

I am still not seeing this in my foo.log as expected.  Again, here is
the output in snort.conf:
output alert_syslog: LOG_LOCAL0 LOG_ALERT

And my syslog.conf:
*.info;mail.none;authpriv.none;cron.none;local0.none    /var/log/messages
authpriv.*                                              /var/log/secure
local0.*                                                /var/log/foo.log


I am seeing some stuff in /var/log/messages for some reason:
Mar 12 10:57:03 XXXXXX snort[9072]: [1:882:6] WEB-CGI calendar access
[Classification: Attempted Information Leak] [Priority: 2]: {TCP}
XXXXXX:36759 -> XXXXX:80





On Thu, Mar 12, 2009 at 9:41 AM, Joel Esler <eslerj at ...11827...> wrote:
> You are using -b and -A on the command line.  Command line options override
> snort.conf options.
> J
>
> On Thu, Mar 12, 2009 at 9:58 AM, Terry <td3201 at ...11827...> wrote:
>>
>> Hello,
>>
>> I can't seem to get syslog and snort working well together.   Here's what
>> I got:
>>
>> commands I've tried:
>> /usr/sbin/snort -A fast -b -d -D -i eth1 -s -u snort -g snort -c
>> /etc/snort/snort.conf -l /var/log/snort
>> /usr/sbin/snort -b -d -D -i eth1 -s -u snort -g snort -c
>> /etc/snort/snort.conf -l /var/log/snort
>>
>> snort.conf:
>> output alert_syslog: LOG_LOCAL0 LOG_ALERT
>>
>> syslog.conf:
>> local0.*
>>     /var/log/foo.log
>> *.info;mail.none;authpriv.none;cron.none;local0.none    /var/log/messages
>>
>> I see stuff going into /var/log/messages but that's it.  What am I
>> missing?
>>
>>
>> ------------------------------------------------------------------------------
>> Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
>> powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
>> easily build your RIAs with Flex Builder, the Eclipse(TM)based development
>> software that enables intelligent coding and step-through debugging.
>> Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
> --
> Joel Esler
> T: 302-223-5974 (-) Gtalk: jesler at ...1935...
> [m]
>




More information about the Snort-users mailing list