[Snort-users] Useful logging of performance statistics

Jason Wallace jason.r.wallace at ...11827...
Tue Jun 22 16:53:20 EDT 2010


Out of curiosity what do you have for sources? Is s_all just snort logs?

Wally

On Tue, Jun 22, 2010 at 3:55 PM, Crook, Parker <Parker_Crook at ...14786...> wrote:
> Good afternoon all,
>
>
>
> I recently switched over to syslog-ng in my lab environment after living
> with the status-quo for way too long (On Debian, Snort logs to
> /var/log/syslog).  After being lazy and scrolling the few hundred/thousand
> lines to get to the rules and preprocessor stats in my log files, I wanted a
> better way.  Now that I am using syslog-ng, I have:
>
> #DESTINATION
>
> destination snort_info { file("/var/log/snort_info"); };
>
> destination snort_warn { file("/var/log/snort_warn"); };
>
> destination snort_notice { file("/var/log/snort_notice"); };
>
> destination snort_crit { file("/var/log/snort_crit"); };
>
> destination snort_err { file("/var/log/snort_err"); };
>
> destination snort_emerg { file("/var/log/snort_emerg"); };
>
>
>
> #FILTER
>
> filter f_snort_info { level(info); };
>
> filter f_snort_notice { level(notice); };
>
> filter f_snort_warn { level(warn); };
>
> filter f_snort_crit { level(crit); };
>
> filter f_snort_err { level(err); };
>
> filter f_snort_emerg { level(emerg); };
>
>
>
> #LOG
>
> log { source(s_all); filter(f_snort_info); destination(snort_info); };
>
> log { source(s_all); filter(f_snort_notice); destination(snort_notice); };
>
> log { source(s_all); filter(f_snort_warn); destination(snort_warn); };
>
> log { source(s_all); filter(f_snort_crit); destination(snort_crit); };
>
> log { source(s_all); filter(f_snort_err); destination(snort_err); };
>
> log { source(s_all); filter(f_snort_emerg); destination(snort_emerg); };
>
>
>
> And was kind of hoping for a nice breakup of logging; alas:
>
>   4 drwxr-xr-x 2 snort       snort   4096 2010-06-22 15:04 snort
>
>  12 -rw-r----- 1 root        adm     8465 2010-06-22 15:04 snort_err
>
> 452 -rw-r----- 1 root        adm   455815 2010-06-22 15:17 snort_info
>
> 588 -rw-r----- 1 root        adm   597570 2010-06-22 15:04 snort_notice
>
> 24 -rw-r----- 1 root        adm    22932 2010-06-22 15:04 snort_warn
>
>
>
> So I found the Preprocessor Profile Statistics & Rule Profile Statistics in
> snort_notice, but I still have to rummage through a bunch of cruft just to
> get what I am looking for.  So my question is:  Is there a better way?  I
> want to log my rule profile & preprocessor profile statistics to a log unto
> themselves for easy(ier) historical comparison.
>
>
>
> Thanks,
>
> Parker
>
> ------------------------------------------------------------------------------
> ThinkGeek and WIRED's GeekDad team up for the Ultimate
> GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
> lucky parental unit.  See the prize list and enter to win:
> http://p.sf.net/sfu/thinkgeek-promo
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list