[Snort-users] Useful logging of performance statistics

Crook, Parker Parker_Crook at ...14786...
Tue Jun 22 15:55:27 EDT 2010


Good afternoon all,



I recently switched over to syslog-ng in my lab environment after living with the status-quo for way too long (On Debian, Snort logs to /var/log/syslog).  After being lazy and scrolling the few hundred/thousand lines to get to the rules and preprocessor stats in my log files, I wanted a better way.  Now that I am using syslog-ng, I have:

#DESTINATION

destination snort_info { file("/var/log/snort_info"); };

destination snort_warn { file("/var/log/snort_warn"); };

destination snort_notice { file("/var/log/snort_notice"); };

destination snort_crit { file("/var/log/snort_crit"); };

destination snort_err { file("/var/log/snort_err"); };

destination snort_emerg { file("/var/log/snort_emerg"); };



#FILTER

filter f_snort_info { level(info); };

filter f_snort_notice { level(notice); };

filter f_snort_warn { level(warn); };

filter f_snort_crit { level(crit); };

filter f_snort_err { level(err); };

filter f_snort_emerg { level(emerg); };



#LOG

log { source(s_all); filter(f_snort_info); destination(snort_info); };

log { source(s_all); filter(f_snort_notice); destination(snort_notice); };

log { source(s_all); filter(f_snort_warn); destination(snort_warn); };

log { source(s_all); filter(f_snort_crit); destination(snort_crit); };

log { source(s_all); filter(f_snort_err); destination(snort_err); };

log { source(s_all); filter(f_snort_emerg); destination(snort_emerg); };



And was kind of hoping for a nice breakup of logging; alas:

  4 drwxr-xr-x 2 snort       snort   4096 2010-06-22 15:04 snort

 12 -rw-r----- 1 root        adm     8465 2010-06-22 15:04 snort_err

452 -rw-r----- 1 root        adm   455815 2010-06-22 15:17 snort_info

588 -rw-r----- 1 root        adm   597570 2010-06-22 15:04 snort_notice

24 -rw-r----- 1 root        adm    22932 2010-06-22 15:04 snort_warn



So I found the Preprocessor Profile Statistics & Rule Profile Statistics in snort_notice, but I still have to rummage through a bunch of cruft just to get what I am looking for.  So my question is:  Is there a better way?  I want to log my rule profile & preprocessor profile statistics to a log unto themselves for easy(ier) historical comparison.



Thanks,

Parker

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100622/6fd3d0a2/attachment.html>


More information about the Snort-users mailing list