[Snort-users] How to stop snort to log startup messages into syslog?

Jeremy Hoel jthoel at ...11827...
Tue Apr 15 14:04:45 EDT 2014


I believe that's part of the function of 'process_start'  Again, grab the
NSM scripts or a Security Onion CD and check it out from there.



On Tue, Apr 15, 2014 at 5:58 PM, Gerhard Mourani <GMourani at ...16783...> wrote:

>  Yes but nothing that show how logs are redirected from /var/log/messages
> to LOG=$PROCESS_LOG_DIR/$SENSOR/snortu-$i.log
>
>
>  On Apr 15, 2014, at 1:55 PM, Jeremy Hoel <jthoel at ...11827...> wrote:
>
>  It's not my scripts.. I would lookup the NSM scripts and maybe grab a
> SecurityOnion live CD and check out it's startup scripts.
>
>  Also.. LOG is defined as:   LOG=$PROCESS_LOG_DIR/$SENSOR/snortu-$i.log
>
>
>
>
> On Tue, Apr 15, 2014 at 5:50 PM, Gerhard Mourani <GMourani at ...16783...>wrote:
>
>> Not clear, I can’t find the parameter related to $LOG in your message,
>> seem to be inside the process_start script.
>>
>>  <Signature-525x150.jpg>
>>
>>  On Apr 15, 2014, at 1:25 PM, Jeremy Hoel <jthoel at ...11827...> wrote:
>>
>>  Found it..
>>
>>  From the So mailing list..  (more info here -
>> http://seclists.org/snort/2013/q2/55)
>>
>>  ---------------
>> Hi Phil,
>>
>> In Security Onion, we start Snort using the NSMnow scripts which
>> provide a function called process_start.  This function starts the
>> process and writes the log to a dedicated log file (not syslog).  In
>> the following code snippet, you can see that we're logging to $LOG,
>> which ends up being /var/log/nsm/HOSTNAME-INTERFACE/snortu-1.log.
>>
>>                 # Start $IDS_LB_PROCS instances of Snort using pfring
>> load-balancing
>>                 for i in `seq 1 $IDS_LB_PROCS`; do
>>                         PID=$PROCESS_PID_DIR/$SENSOR/snortu-$i.pid
>>                         LOG=$PROCESS_LOG_DIR/$SENSOR/snortu-$i.log
>>                         PERFMON=$SENSOR_LOG_DIR/snort-$i.stats
>>                         UNI_DIR=$SENSOR_LOG_DIR/snort-$i
>>                         mkdir -p $UNI_DIR
>>                         chown $SENSOR_USER:$SENSOR_GROUP $UNI_DIR
>>                         [ -z "$SKIP_SNORT_ALERT" ] && process_start
>> "snort" "-c $SNORT_CONFIG -u $SENSOR_USER -g $SENSOR_GROUP -i
>> $SENSOR_INTERFACE_SHORT -F /etc/nsm/$SENSOR/bpf-ids.conf -l $UNI_DIR
>> --perfmon-file $PERFMON $SNORT_OPTIONS
>> " "$PID" "$LOG" "snort-$i (alert data)"
>>                 done
>>
>>
>>
>> On Tue, Apr 15, 2014 at 5:22 PM, Jeremy Hoel <jthoel at ...11827...> wrote:
>>
>>> But that option is just for it's alerting output right? Not the
>>> startup/shutdown messages (of which there are more then a few).  I
>>> commented out the output line (output alert_syslog: LOG_LOCAL6 LOG_ALERT)
>>> in my snort.conf and I still see the startup/shutdown messages.
>>>
>>>  For the OP - Security Onion does this (negates the messages in syslog)
>>> and it does it by starting snort differently. I'm trying to find the thread
>>> that talked about it.
>>>
>>>
>>> On Tue, Apr 15, 2014 at 5:02 PM, Nicholas Mavis (nmavis) <
>>> nmavis at ...589...> wrote:
>>>
>>>> You can turn off syslogging in your Snort.conf file. I would recommend
>>>> reading through the following:
>>>>
>>>> http://manual.snort.org/node21.html
>>>>
>>>> -Nick
>>>>
>>>>
>>>> On 4/15/14, 11:55 AM, "Gerhard Mourani" <GMourani at ...16783...> wrote:
>>>>
>>>> >Hello list,
>>>> >
>>>> >I don¹t know if there is a way to start the Snort process without
>>>> having
>>>> >its startup messages being logged into syslog -> /var/log/messages?
>>>> >I¹ve tried to start it with the following parameters without success,
>>>> >still log startup messages into the /var/log/messages file.
>>>> >
>>>> >snort -c /etc/snort/snort.conf -D -g snort -q -N --daq afpacket
>>>> --daq-var
>>>> >buffer_size=512MB -i eth1
>>>> >
>>>> >Regards,
>>>>
>>>> >--------------------------------------------------------------------------
>>>> >----
>>>> >Learn Graph Databases - Download FREE O'Reilly Book
>>>> >"Graph Databases" is the definitive new guide to graph databases and
>>>> their
>>>> >applications. Written by three acclaimed leaders in the field,
>>>> >this first edition is now available. Download your free book today!
>>>> >http://p.sf.net/sfu/NeoTech
>>>> >_______________________________________________
>>>> >Snort-users mailing list
>>>> >Snort-users at lists.sourceforge.net
>>>> >Go to this URL to change user options or unsubscribe:
>>>> >https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> >Snort-users list archive:
>>>> >http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>> >
>>>> >Please visit http://blog.snort.org to stay current on all the latest
>>>> >Snort news!
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Learn Graph Databases - Download FREE O'Reilly Book
>>>> "Graph Databases" is the definitive new guide to graph databases and
>>>> their
>>>> applications. Written by three acclaimed leaders in the field,
>>>> this first edition is now available. Download your free book today!
>>>> http://p.sf.net/sfu/NeoTech
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>>
>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>> Snort news!
>>>>
>>>
>>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140415/74f4c56c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Signature-525x150.jpg
Type: image/jpeg
Size: 88983 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140415/74f4c56c/attachment.jpg>


More information about the Snort-users mailing list