[Snort-users] How to stop snort to log startup messages into syslog?

Jeremy Hoel jthoel at ...11827...
Tue Apr 15 13:25:20 EDT 2014


Found it..

>From the So mailing list..  (more info here -
http://seclists.org/snort/2013/q2/55)

---------------
Hi Phil,

In Security Onion, we start Snort using the NSMnow scripts which
provide a function called process_start.  This function starts the
process and writes the log to a dedicated log file (not syslog).  In
the following code snippet, you can see that we're logging to $LOG,
which ends up being /var/log/nsm/HOSTNAME-INTERFACE/snortu-1.log.

                # Start $IDS_LB_PROCS instances of Snort using pfring
load-balancing
                for i in `seq 1 $IDS_LB_PROCS`; do
                        PID=$PROCESS_PID_DIR/$SENSOR/snortu-$i.pid
                        LOG=$PROCESS_LOG_DIR/$SENSOR/snortu-$i.log
                        PERFMON=$SENSOR_LOG_DIR/snort-$i.stats
                        UNI_DIR=$SENSOR_LOG_DIR/snort-$i
                        mkdir -p $UNI_DIR
                        chown $SENSOR_USER:$SENSOR_GROUP $UNI_DIR
                        [ -z "$SKIP_SNORT_ALERT" ] && process_start
"snort" "-c $SNORT_CONFIG -u $SENSOR_USER -g $SENSOR_GROUP -i
$SENSOR_INTERFACE_SHORT -F /etc/nsm/$SENSOR/bpf-ids.conf -l $UNI_DIR
--perfmon-file $PERFMON $SNORT_OPTIONS
" "$PID" "$LOG" "snort-$i (alert data)"
                done



On Tue, Apr 15, 2014 at 5:22 PM, Jeremy Hoel <jthoel at ...11827...> wrote:

> But that option is just for it's alerting output right? Not the
> startup/shutdown messages (of which there are more then a few).  I
> commented out the output line (output alert_syslog: LOG_LOCAL6 LOG_ALERT)
> in my snort.conf and I still see the startup/shutdown messages.
>
> For the OP - Security Onion does this (negates the messages in syslog) and
> it does it by starting snort differently. I'm trying to find the thread
> that talked about it.
>
>
> On Tue, Apr 15, 2014 at 5:02 PM, Nicholas Mavis (nmavis) <nmavis at ...589...
> > wrote:
>
>> You can turn off syslogging in your Snort.conf file. I would recommend
>> reading through the following:
>>
>> http://manual.snort.org/node21.html
>>
>> -Nick
>>
>>
>> On 4/15/14, 11:55 AM, "Gerhard Mourani" <GMourani at ...16783...> wrote:
>>
>> >Hello list,
>> >
>> >I don¹t know if there is a way to start the Snort process without having
>> >its startup messages being logged into syslog -> /var/log/messages?
>> >I¹ve tried to start it with the following parameters without success,
>> >still log startup messages into the /var/log/messages file.
>> >
>> >snort -c /etc/snort/snort.conf -D -g snort -q -N --daq afpacket --daq-var
>> >buffer_size=512MB -i eth1
>> >
>> >Regards,
>>
>> >--------------------------------------------------------------------------
>> >----
>> >Learn Graph Databases - Download FREE O'Reilly Book
>> >"Graph Databases" is the definitive new guide to graph databases and
>> their
>> >applications. Written by three acclaimed leaders in the field,
>> >this first edition is now available. Download your free book today!
>> >http://p.sf.net/sfu/NeoTech
>> >_______________________________________________
>> >Snort-users mailing list
>> >Snort-users at lists.sourceforge.net
>> >Go to this URL to change user options or unsubscribe:
>> >https://lists.sourceforge.net/lists/listinfo/snort-users
>> >Snort-users list archive:
>> >http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> >
>> >Please visit http://blog.snort.org to stay current on all the latest
>> >Snort news!
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Learn Graph Databases - Download FREE O'Reilly Book
>> "Graph Databases" is the definitive new guide to graph databases and their
>> applications. Written by three acclaimed leaders in the field,
>> this first edition is now available. Download your free book today!
>> http://p.sf.net/sfu/NeoTech
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140415/6e762d86/attachment.html>


More information about the Snort-users mailing list