[Snort-users] syslog output problem

Terry td3201 at ...11827...
Thu Mar 12 14:04:35 EDT 2009


It should work with what I have but I took it out so it now looks like
this and it's still not working:
*.info;mail.none;authpriv.none;cron.none        /var/log/messages
local0.*                                                /var/log/foo.log

foo.log is being created when I restart syslog with this config so I
can assume that syslog is configured correctly as far as that
particular line.


On Thu, Mar 12, 2009 at 11:19 AM, Joel Esler <eslerj at ...11827...> wrote:
> It looks like you have local0.none in your /var/log/messages line.  I can't
> remember, since it's been awhile since I've used the Syslog output module,
> but, does syslog.conf process all log lines and sends alerts to all files
> listed, or only the first one it comes across.
> J
>
> On Thu, Mar 12, 2009 at 11:57 AM, Terry <td3201 at ...11827...> wrote:
>>
>> Thank you for your response.  I modified the command line so those
>> options are no longer in there:
>> /usr/sbin/snort -d -D -i eth1 -s -u snort -g snort -c
>> /etc/snort/snort.conf -l /var/log/snort
>>
>> I am still not seeing this in my foo.log as expected.  Again, here is
>> the output in snort.conf:
>> output alert_syslog: LOG_LOCAL0 LOG_ALERT
>>
>> And my syslog.conf:
>> *.info;mail.none;authpriv.none;cron.none;local0.none    /var/log/messages
>> authpriv.*                                              /var/log/secure
>> local0.*                                                /var/log/foo.log
>>
>>
>> I am seeing some stuff in /var/log/messages for some reason:
>> Mar 12 10:57:03 XXXXXX snort[9072]: [1:882:6] WEB-CGI calendar access
>> [Classification: Attempted Information Leak] [Priority: 2]: {TCP}
>> XXXXXX:36759 -> XXXXX:80
>>
>>
>>
>>
>>
>> On Thu, Mar 12, 2009 at 9:41 AM, Joel Esler <eslerj at ...11827...> wrote:
>> > You are using -b and -A on the command line.  Command line options
>> > override
>> > snort.conf options.
>> > J
>> >
>> > On Thu, Mar 12, 2009 at 9:58 AM, Terry <td3201 at ...11827...> wrote:
>> >>
>> >> Hello,
>> >>
>> >> I can't seem to get syslog and snort working well together.   Here's
>> >> what
>> >> I got:
>> >>
>> >> commands I've tried:
>> >> /usr/sbin/snort -A fast -b -d -D -i eth1 -s -u snort -g snort -c
>> >> /etc/snort/snort.conf -l /var/log/snort
>> >> /usr/sbin/snort -b -d -D -i eth1 -s -u snort -g snort -c
>> >> /etc/snort/snort.conf -l /var/log/snort
>> >>
>> >> snort.conf:
>> >> output alert_syslog: LOG_LOCAL0 LOG_ALERT
>> >>
>> >> syslog.conf:
>> >> local0.*
>> >>     /var/log/foo.log
>> >> *.info;mail.none;authpriv.none;cron.none;local0.none
>> >>  /var/log/messages
>> >>
>> >> I see stuff going into /var/log/messages but that's it.  What am I
>> >> missing?
>> >>
>> >>
>> >>
>> >> ------------------------------------------------------------------------------
>> >> Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
>> >> powering Web 2.0 with engaging, cross-platform capabilities. Quickly
>> >> and
>> >> easily build your RIAs with Flex Builder, the Eclipse(TM)based
>> >> development
>> >> software that enables intelligent coding and step-through debugging.
>> >> Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
>> >> _______________________________________________
>> >> Snort-users mailing list
>> >> Snort-users at lists.sourceforge.net
>> >> Go to this URL to change user options or unsubscribe:
>> >> https://lists.sourceforge.net/lists/listinfo/snort-users
>> >> Snort-users list archive:
>> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> >
>> >
>> >
>> > --
>> > Joel Esler
>> > T: 302-223-5974 (-) Gtalk: jesler at ...1935...
>> > [m]
>> >
>
>
>
> --
> Joel Esler
> T: 302-223-5974 (-) Gtalk: jesler at ...1935...
> [m]
>




More information about the Snort-users mailing list