[Snort-users] Useful logging of performance statistics

Jason Wallace jason.r.wallace at ...11827...
Tue Jun 22 19:00:52 EDT 2010


If the goal is to only have snort logs in those files then I do not
think what you have will work. That would result in log files with all
info logs, including system logs, in snort_info, all warn logs in
snort_warn...etc. You need to add something to to the filters to tell
it them you want those levels but only for snort related logs. I'm not
in front of my box right now but I think (from memory) you might be
looking for the "match" statement...or "program" might work.

Wally

On Tue, Jun 22, 2010 at 5:05 PM, Crook, Parker <Parker_Crook at ...14786...> wrote:
> Wally,
>
> Here's my sources:
>
> source s_all {
>        # message generated by Syslog-NG
>        internal();
>        # standard Linux log source (this is the default place for the syslog()
>        # function to send logs to)
>        unix-stream("/dev/log");
>        # messages from the kernel
>        file("/proc/kmsg" log_prefix("kernel: "));
>        # use the following line if you want to receive remote UDP logging messages
>        # (this is equivalent to the "-r" syslogd flag)
>        # udp();
> };
>
> -Parker
>
> -----Original Message-----
> From: Jason Wallace [mailto:jason.r.wallace at ...11827...]
> Sent: Tuesday, June 22, 2010 4:53 PM
> To: Crook, Parker
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Useful logging of performance statistics
>
> Out of curiosity what do you have for sources? Is s_all just snort logs?
>
> Wally
>
> On Tue, Jun 22, 2010 at 3:55 PM, Crook, Parker <Parker_Crook at ...14786...> wrote:
>> Good afternoon all,
>>
>>
>>
>> I recently switched over to syslog-ng in my lab environment after living
>> with the status-quo for way too long (On Debian, Snort logs to
>> /var/log/syslog).  After being lazy and scrolling the few hundred/thousand
>> lines to get to the rules and preprocessor stats in my log files, I wanted a
>> better way.  Now that I am using syslog-ng, I have:
>>
>> #DESTINATION
>>
>> destination snort_info { file("/var/log/snort_info"); };
>>
>> destination snort_warn { file("/var/log/snort_warn"); };
>>
>> destination snort_notice { file("/var/log/snort_notice"); };
>>
>> destination snort_crit { file("/var/log/snort_crit"); };
>>
>> destination snort_err { file("/var/log/snort_err"); };
>>
>> destination snort_emerg { file("/var/log/snort_emerg"); };
>>
>>
>>
>> #FILTER
>>
>> filter f_snort_info { level(info); };
>>
>> filter f_snort_notice { level(notice); };
>>
>> filter f_snort_warn { level(warn); };
>>
>> filter f_snort_crit { level(crit); };
>>
>> filter f_snort_err { level(err); };
>>
>> filter f_snort_emerg { level(emerg); };
>>
>>
>>
>> #LOG
>>
>> log { source(s_all); filter(f_snort_info); destination(snort_info); };
>>
>> log { source(s_all); filter(f_snort_notice); destination(snort_notice); };
>>
>> log { source(s_all); filter(f_snort_warn); destination(snort_warn); };
>>
>> log { source(s_all); filter(f_snort_crit); destination(snort_crit); };
>>
>> log { source(s_all); filter(f_snort_err); destination(snort_err); };
>>
>> log { source(s_all); filter(f_snort_emerg); destination(snort_emerg); };
>>
>>
>>
>> And was kind of hoping for a nice breakup of logging; alas:
>>
>>   4 drwxr-xr-x 2 snort       snort   4096 2010-06-22 15:04 snort
>>
>>  12 -rw-r----- 1 root        adm     8465 2010-06-22 15:04 snort_err
>>
>> 452 -rw-r----- 1 root        adm   455815 2010-06-22 15:17 snort_info
>>
>> 588 -rw-r----- 1 root        adm   597570 2010-06-22 15:04 snort_notice
>>
>> 24 -rw-r----- 1 root        adm    22932 2010-06-22 15:04 snort_warn
>>
>>
>>
>> So I found the Preprocessor Profile Statistics & Rule Profile Statistics in
>> snort_notice, but I still have to rummage through a bunch of cruft just to
>> get what I am looking for.  So my question is:  Is there a better way?  I
>> want to log my rule profile & preprocessor profile statistics to a log unto
>> themselves for easy(ier) historical comparison.
>>
>>
>>
>> Thanks,
>>
>> Parker
>>
>> ------------------------------------------------------------------------------
>> ThinkGeek and WIRED's GeekDad team up for the Ultimate
>> GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
>> lucky parental unit.  See the prize list and enter to win:
>> http://p.sf.net/sfu/thinkgeek-promo
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>




More information about the Snort-users mailing list