[Snort-users] starting multiple instances of snort

Jack Pepper pepperjack at ...14319...
Mon Dec 7 08:05:13 EST 2015


please try this and post the result:

egrep -i "output|log" /etc/snort/snort.conf

On Mon, Dec 7, 2015 at 2:19 AM, James <snort at ...16635...> wrote:

> Hi,
>
> Both great ideas which I had to check. Unfortunately neither seem to be
> the cause; no log dir defined in the conf and the perfmon preproc is
> commented out. Any other suggestions?
>
> Thanks
> J.
>
> On 4 December 2015 at 16:22, Y M <snort at ...15979...> wrote:
>
>> If I would throw a guess at it I would look in
>> snort.conf file if it has the logdir statically defined in "config
>> logdir:" This may cause a conflict.
>>
>> Also I would check if snort.conf has perfmon configured. By default snort
>> will dump stats to /var/snort as opposed to the default log directory
>> /var/log/snort.
>>
>> YM
>>
>> Sent from Mobile
>>
>>
>>
>>
>> On Fri, Dec 4, 2015 at 7:55 AM -0800, "James" <snort at ...16635...>
>> wrote:
>>
>> Hi,
>>
>> I'm attempting to start 16 instances of snort using a for loop, but see
>> this error repeating in /var/log/messages and hope someone can help as I'm
>> drawing a blank at the moment.
>>
>> snort[8537]: FATAL ERROR: Stat check on log dir failed: No such file or
>> directory.
>>
>> This is the loop:
>>
>> for i in `seq 0 1 15`; do
>> snort -q -u snort -g snort --pid-path /var/run --create-pidfile -D -c
>> /etc/snort/snort.conf -l /logs/snort/eth4_eth5/instance-$i
>> --daq-dir=/usr/local/lib/daq --daq pfring_zc --daq-mode passive -i zc:eth4@
>> $i,zc:eth5@$i --daq-var clusterid=$i --daq-var bindcpu=$i
>> done
>>
>> The referenced log dirs exist and are owned by the snort user, as shown:
>>
>> []$ sudo -u snort ls -al /logs/snort/eth4_eth5/
>> total 72
>> drwx------ 18 snort snort 4096 Dec  4 10:44 .
>> drwx------  3 snort snort 4096 Dec  4 10:43 ..
>> drwx------  2 snort snort 4096 Dec  4 10:50 instance-0
>> drwx------  2 snort snort 4096 Dec  4 10:50 instance-1
>> drwx------  2 snort snort 4096 Dec  4 10:44 instance-10
>> drwx------  2 snort snort 4096 Dec  4 10:44 instance-11
>> drwx------  2 snort snort 4096 Dec  4 10:53 instance-12
>> drwx------  2 snort snort 4096 Dec  4 10:54 instance-13
>> drwx------  2 snort snort 4096 Dec  4 10:54 instance-14
>> drwx------  2 snort snort 4096 Dec  4 10:54 instance-15
>> drwx------  2 snort snort 4096 Dec  4 10:51 instance-2
>> drwx------  2 snort snort 4096 Dec  4 10:51 instance-3
>> drwx------  2 snort snort 4096 Dec  4 10:51 instance-4
>> drwx------  2 snort snort 4096 Dec  4 10:52 instance-5
>> drwx------  2 snort snort 4096 Dec  4 10:52 instance-6
>> drwx------  2 snort snort 4096 Dec  4 10:52 instance-7
>> drwx------  2 snort snort 4096 Dec  4 10:44 instance-8
>> drwx------  2 snort snort 4096 Dec  4 10:44 instance-9
>>
>> Any help is much appreciated.
>>
>> J.
>>
>
>
>
> ------------------------------------------------------------------------------
> Go from Idea to Many App Stores Faster with Intel(R) XDK
> Give your users amazing mobile app experiences with Intel(R) XDK.
> Use one codebase in this all-in-one HTML5 development environment.
> Design, debug & build mobile apps & 2D/3D high-impact games for multiple
> OSs.
> http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20151207/00f6f861/attachment.html>


More information about the Snort-users mailing list