[Snort-users] Unified logging doesn't work.

Steve Crow scrow at ...16818...
Tue Jun 10 18:43:31 EDT 2014


I don’t question that your command works, my question has to do with having snort start at boot. The recommended install docs at sourceforge use /etc/init.d/snortd and /etc/sysconfig/snort files. But they are not designed for unified output as far as I can tell.

 

If I go with your command, where do I place it to have snort automatically start up at boot time?

 

Thanks again!

 

Steve

 

From: James Lay [mailto:jlay at ...13475...] 
Sent: Monday, June 09, 2014 7:51 PM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Unified logging doesn't work.

 

On Mon, 2014-06-09 at 16:47 -0500, Steve Crow wrote: 

 
What script does that line go into?
I don't think I have seen it in the many googled documents that I have been
reviewing.
 
Steve
 
 
-----Original Message-----
From: James Lay [mailto:jlay at ...13475...] 
Sent: Monday, June 09, 2014 4:20 PM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Unified logging doesn't work.
 
On 2014-06-09 15:16, Steve Crow wrote:
> In the /etc/sysconfig/snort file there is this:
> 
> #### General Configuration
> 
> # What interface should snort listen on?  [Pick only 1 of the next 3!] 
> # This is -i {interface} on the command line # This is the snort.conf 
> config interface: {interface} directive # INTERFACE=eth0 # # The 
> following two options are not directly supported on the command line # 
> or in the conf file and assume the same Snort configuration for all # 
> instances # # To listen on all interfaces use this:
> #INTERFACE=ALL
> #
> # To listen only on given interfaces use this:
> INTERFACE="eth0 eth1"
> 
> -----------------
> 
> I included the full text in a reply to Joel. I am considering changing 
> this to ALL if Barnyard2 will work with a single unified file that 
> covers more than one interface. We're not a high bandwidth operation, 
> so I don't think I need to configure separate processes and 
> configuration files for each interface.
> 
> Steve
 
Well...I don't recognize the sysconfig file but I can tell you that:
 
snort --daq afpacket --daq-mode passive -i eth0:eth1
 
Work like a champ and create only one unified file.
 
James
 


Currently my /etc/rc.local....but I did my own setup.  This is just straight command line.

James

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140610/deb6a24f/attachment.html>


More information about the Snort-users mailing list