[Snort-users] syslog output problem

Joel Esler eslerj at ...11827...
Thu Mar 12 12:19:25 EDT 2009


It looks like you have local0.none in your /var/log/messages line.  I can't
remember, since it's been awhile since I've used the Syslog output module,
but, does syslog.conf process all log lines and sends alerts to all files
listed, or only the first one it comes across.
J

On Thu, Mar 12, 2009 at 11:57 AM, Terry <td3201 at ...11827...> wrote:

> Thank you for your response.  I modified the command line so those
> options are no longer in there:
> /usr/sbin/snort -d -D -i eth1 -s -u snort -g snort -c
> /etc/snort/snort.conf -l /var/log/snort
>
> I am still not seeing this in my foo.log as expected.  Again, here is
> the output in snort.conf:
> output alert_syslog: LOG_LOCAL0 LOG_ALERT
>
> And my syslog.conf:
> *.info;mail.none;authpriv.none;cron.none;local0.none    /var/log/messages
> authpriv.*                                              /var/log/secure
> local0.*                                                /var/log/foo.log
>
>
> I am seeing some stuff in /var/log/messages for some reason:
> Mar 12 10:57:03 XXXXXX snort[9072]: [1:882:6] WEB-CGI calendar access
> [Classification: Attempted Information Leak] [Priority: 2]: {TCP}
> XXXXXX:36759 -> XXXXX:80
>
>
>
>
>
> On Thu, Mar 12, 2009 at 9:41 AM, Joel Esler <eslerj at ...11827...> wrote:
> > You are using -b and -A on the command line.  Command line options
> override
> > snort.conf options.
> > J
> >
> > On Thu, Mar 12, 2009 at 9:58 AM, Terry <td3201 at ...11827...> wrote:
> >>
> >> Hello,
> >>
> >> I can't seem to get syslog and snort working well together.   Here's
> what
> >> I got:
> >>
> >> commands I've tried:
> >> /usr/sbin/snort -A fast -b -d -D -i eth1 -s -u snort -g snort -c
> >> /etc/snort/snort.conf -l /var/log/snort
> >> /usr/sbin/snort -b -d -D -i eth1 -s -u snort -g snort -c
> >> /etc/snort/snort.conf -l /var/log/snort
> >>
> >> snort.conf:
> >> output alert_syslog: LOG_LOCAL0 LOG_ALERT
> >>
> >> syslog.conf:
> >> local0.*
> >>     /var/log/foo.log
> >> *.info;mail.none;authpriv.none;cron.none;local0.none
>  /var/log/messages
> >>
> >> I see stuff going into /var/log/messages but that's it.  What am I
> >> missing?
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
> >> powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
> >> easily build your RIAs with Flex Builder, the Eclipse(TM)based
> development
> >> software that enables intelligent coding and step-through debugging.
> >> Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> Go to this URL to change user options or unsubscribe:
> >> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> >
> > --
> > Joel Esler
> > T: 302-223-5974 (-) Gtalk: jesler at ...1935...
> > [m]
> >
>



-- 
Joel Esler
T: 302-223-5974 (-) Gtalk: jesler at ...1935...
[m]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090312/0f1ce8c8/attachment.html>


More information about the Snort-users mailing list