[Snort-users] Snort and Syslog

Phil Daws uxbod at ...14273...
Thu Apr 4 08:23:54 EDT 2013


Hi,

When Snort starts it writes specific information to /var/log/messages eg.

Apr  4 12:01:40 fw1 snort[2951]: [ Port Based Pattern Matching Memory ]
Apr  4 12:01:40 fw1 snort[2951]: +- [ Aho-Corasick Summary ] -------------------------------------
Apr  4 12:01:40 fw1 snort[2951]: | Storage Format    : Full-Q
Apr  4 12:01:40 fw1 snort[2951]: | Finite Automaton  : DFA
Apr  4 12:01:40 fw1 snort[2951]: | Alphabet Size     : 256 Chars
Apr  4 12:01:40 fw1 snort[2951]: | Sizeof State      : Variable (1,2,4 bytes)
Apr  4 12:01:40 fw1 snort[2951]: | Instances         : 294
Apr  4 12:01:40 fw1 snort[2951]: |     1 byte states : 275
Apr  4 12:01:40 fw1 snort[2951]: |     2 byte states : 19
Apr  4 12:01:40 fw1 snort[2951]: |     4 byte states : 0
Apr  4 12:01:40 fw1 snort[2951]: | Characters        : 249637

How can I redirect those messages to a separate file as it plays havoc with OSSEC :) I have tried adding snort.none to rsyslog.conf for /var/log/messages and then added snort.* to direct too another file. That did not work :(

Any thoughts please ?




More information about the Snort-users mailing list