[Snort-users] How to stop snort to log startup messages into syslog?

Jeremy Hoel jthoel at ...11827...
Tue Apr 15 13:55:23 EDT 2014


It's not my scripts.. I would lookup the NSM scripts and maybe grab a
SecurityOnion live CD and check out it's startup scripts.

Also.. LOG is defined as:   LOG=$PROCESS_LOG_DIR/$SENSOR/snortu-$i.log




On Tue, Apr 15, 2014 at 5:50 PM, Gerhard Mourani <GMourani at ...16783...> wrote:

>  Not clear, I can’t find the parameter related to $LOG in your message,
> seem to be inside the process_start script.
>
>
>  On Apr 15, 2014, at 1:25 PM, Jeremy Hoel <jthoel at ...11827...> wrote:
>
>  Found it..
>
>  From the So mailing list..  (more info here -
> http://seclists.org/snort/2013/q2/55)
>
>  ---------------
> Hi Phil,
>
> In Security Onion, we start Snort using the NSMnow scripts which
> provide a function called process_start.  This function starts the
> process and writes the log to a dedicated log file (not syslog).  In
> the following code snippet, you can see that we're logging to $LOG,
> which ends up being /var/log/nsm/HOSTNAME-INTERFACE/snortu-1.log.
>
>                 # Start $IDS_LB_PROCS instances of Snort using pfring
> load-balancing
>                 for i in `seq 1 $IDS_LB_PROCS`; do
>                         PID=$PROCESS_PID_DIR/$SENSOR/snortu-$i.pid
>                         LOG=$PROCESS_LOG_DIR/$SENSOR/snortu-$i.log
>                         PERFMON=$SENSOR_LOG_DIR/snort-$i.stats
>                         UNI_DIR=$SENSOR_LOG_DIR/snort-$i
>                         mkdir -p $UNI_DIR
>                         chown $SENSOR_USER:$SENSOR_GROUP $UNI_DIR
>                         [ -z "$SKIP_SNORT_ALERT" ] && process_start
> "snort" "-c $SNORT_CONFIG -u $SENSOR_USER -g $SENSOR_GROUP -i
> $SENSOR_INTERFACE_SHORT -F /etc/nsm/$SENSOR/bpf-ids.conf -l $UNI_DIR
> --perfmon-file $PERFMON $SNORT_OPTIONS
> " "$PID" "$LOG" "snort-$i (alert data)"
>                 done
>
>
>
> On Tue, Apr 15, 2014 at 5:22 PM, Jeremy Hoel <jthoel at ...11827...> wrote:
>
>> But that option is just for it's alerting output right? Not the
>> startup/shutdown messages (of which there are more then a few).  I
>> commented out the output line (output alert_syslog: LOG_LOCAL6 LOG_ALERT)
>> in my snort.conf and I still see the startup/shutdown messages.
>>
>>  For the OP - Security Onion does this (negates the messages in syslog)
>> and it does it by starting snort differently. I'm trying to find the thread
>> that talked about it.
>>
>>
>> On Tue, Apr 15, 2014 at 5:02 PM, Nicholas Mavis (nmavis) <
>> nmavis at ...589...> wrote:
>>
>>> You can turn off syslogging in your Snort.conf file. I would recommend
>>> reading through the following:
>>>
>>> http://manual.snort.org/node21.html
>>>
>>> -Nick
>>>
>>>
>>> On 4/15/14, 11:55 AM, "Gerhard Mourani" <GMourani at ...16783...> wrote:
>>>
>>> >Hello list,
>>> >
>>> >I don¹t know if there is a way to start the Snort process without having
>>> >its startup messages being logged into syslog -> /var/log/messages?
>>> >I¹ve tried to start it with the following parameters without success,
>>> >still log startup messages into the /var/log/messages file.
>>> >
>>> >snort -c /etc/snort/snort.conf -D -g snort -q -N --daq afpacket
>>> --daq-var
>>> >buffer_size=512MB -i eth1
>>> >
>>> >Regards,
>>>
>>> >--------------------------------------------------------------------------
>>> >----
>>> >Learn Graph Databases - Download FREE O'Reilly Book
>>> >"Graph Databases" is the definitive new guide to graph databases and
>>> their
>>> >applications. Written by three acclaimed leaders in the field,
>>> >this first edition is now available. Download your free book today!
>>> >http://p.sf.net/sfu/NeoTech
>>> >_______________________________________________
>>> >Snort-users mailing list
>>> >Snort-users at lists.sourceforge.net
>>> >Go to this URL to change user options or unsubscribe:
>>> >https://lists.sourceforge.net/lists/listinfo/snort-users
>>> >Snort-users list archive:
>>> >http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>> >
>>> >Please visit http://blog.snort.org to stay current on all the latest
>>> >Snort news!
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Learn Graph Databases - Download FREE O'Reilly Book
>>> "Graph Databases" is the definitive new guide to graph databases and
>>> their
>>> applications. Written by three acclaimed leaders in the field,
>>> this first edition is now available. Download your free book today!
>>> http://p.sf.net/sfu/NeoTech
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140415/a9baea96/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Signature-525x150.jpg
Type: image/jpeg
Size: 88983 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140415/a9baea96/attachment.jpg>


More information about the Snort-users mailing list