[Snort-users] Snort and Syslog

waldo kitty wkitty42 at ...14940...
Thu Apr 4 13:38:13 EDT 2013


On 4/4/2013 10:45, Josh Bitto wrote:
> Your probably better off asking this question in rsyslog's mail group. I've gotten a lot of help from them.

or even better, report it to OSSEC so it can be fixed and not have the problems 
any more... one has to wonder what all the other OSSEC using sites do since this 
info is always posted... i just checked a live snort 2.8.something installation 
and it posts this info, too... i know there are folks using OSSEC who used to 
run snort 2.8...

> -----Original Message-----
> From: Phil Daws [mailto:uxbod at ...14273...]
> Sent: Thursday, April 04, 2013 5:24 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Snort and Syslog
>
> Hi,
>
> When Snort starts it writes specific information to /var/log/messages eg.
>
> Apr  4 12:01:40 fw1 snort[2951]: [ Port Based Pattern Matching Memory ] Apr  4 12:01:40 fw1 snort[2951]: +- [ Aho-Corasick Summary ] -------------------------------------
> Apr  4 12:01:40 fw1 snort[2951]: | Storage Format    : Full-Q
> Apr  4 12:01:40 fw1 snort[2951]: | Finite Automaton  : DFA
> Apr  4 12:01:40 fw1 snort[2951]: | Alphabet Size     : 256 Chars
> Apr  4 12:01:40 fw1 snort[2951]: | Sizeof State      : Variable (1,2,4 bytes)
> Apr  4 12:01:40 fw1 snort[2951]: | Instances         : 294
> Apr  4 12:01:40 fw1 snort[2951]: |     1 byte states : 275
> Apr  4 12:01:40 fw1 snort[2951]: |     2 byte states : 19
> Apr  4 12:01:40 fw1 snort[2951]: |     4 byte states : 0
> Apr  4 12:01:40 fw1 snort[2951]: | Characters        : 249637
>
> How can I redirect those messages to a separate file as it plays havoc with OSSEC :) I have tried adding snort.none to rsyslog.conf for /var/log/messages and then added snort.* to direct too another file. That did not work :(
>
> Any thoughts please ?






More information about the Snort-users mailing list