[Snort-users] Multiple log files

Jason Ish lists at ...16429...
Fri Jan 9 16:14:40 EST 2015


On Fri, Jan 9, 2015 at 8:49 AM, test engineer <test12524 at ...11827...> wrote:
> Thanks Waldo, yes they are pcaps (to be specific).  The odd thing is I'm
> running 8 snort processes. (in a test environment)
>
> /usr/sbin/snort -A fast -U -b -d -e -D -i dag0:0 -c /etc/snort/snort.conf -l
> /var/log/snort
> /usr/sbin/snort -A fast -U -b -d -e -D -i dag0:2 -c /etc/snort/snort.conf -l
> /var/log/snort
> /usr/sbin/snort -A fast -U -b -d -e -D -i dag0:4 -c /etc/snort/snort.conf -l
> /var/log/snort
> etc... up to dag0:14.
>
> Based on your comment, there should be 8 log (pcap) files but there is not
> The question I'm trying to answer is why are there
> 2 or sometimes 3 pcap files?  Also...only one of the pcap files collects
> data, the others are empty.

While it might be possible to do this using a shared logging
directory, I find it easier to manage multiple instances using the
same configuration if you give each its own log directory.  Other
apps, like barnyard2 will be happier with this type of setup as well.

Jason




More information about the Snort-users mailing list