[Snort-users] Multiple log files

test engineer test12524 at ...11827...
Fri Jan 9 09:49:42 EST 2015


Thanks Waldo, yes they are pcaps (to be specific).  The odd thing is I'm
running 8 snort processes. (in a test environment)

/usr/sbin/snort -A fast -U -b -d -e -D -i dag0:0 -c /etc/snort/snort.conf
-l /var/log/snort
/usr/sbin/snort -A fast -U -b -d -e -D -i dag0:2 -c /etc/snort/snort.conf
-l /var/log/snort
/usr/sbin/snort -A fast -U -b -d -e -D -i dag0:4 -c /etc/snort/snort.conf
-l /var/log/snort
etc... up to dag0:14.

Based on your comment, there should be 8 log (pcap) files but there is not
The question I'm trying to answer is why are there
2 or sometimes 3 pcap files?  Also...only one of the pcap files collects
data, the others are empty.

Thanks





On Wed, Jan 7, 2015 at 9:20 PM, waldo kitty <wkitty42 at ...14940...> wrote:

> On 1/6/2015 11:44 AM, test engineer wrote:
> > Thanks for any assistance.
> >
> > I'm runnig snort 2.9.6.2 and using an Emulex DAG card as the monitor
> interface.
> > I'm running
> > 8 snort processes in a balanced stream configuration.  After starting
> snort, I
> > notice that some times it creates 2 or even 3 log files in
> /var/log/snort.  I'm
> > wondering why it creates 2 or 3 and not just 1.
> >
> > -rw-r--r--. 1 root root 0 Jan  6 11:35 alert
> > -rw-------. 1 root root 0 Jan  6 11:35 snort.log.1420562102
> > -rw-------. 1 root root 0 Jan  6 11:35 snort.log.1420562103
>
> those are pcap files... there should be one for each process... they will
> contain the packet data that triggered the alerts snort raised... each
> process
> should have unique names for these and similar output files they write...
>
> --
>   NOTE: No off-list assistance is given without prior approval.
>         Please *keep mailing list traffic on the list* unless
>         private contact is specifically requested and granted.
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming! The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is
> your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150109/1fed8313/attachment.html>


More information about the Snort-users mailing list