Re: Syslog trouble

[John Sage <jsage () finchhaven com>]

Michael:

You don't say what OS you're using, but I'm not sure that matters a lot 
(well, it *may* matter some, but I dunno.. ;-)

Under Linux 2.2.14 I have in snort.conf:

# Use one or more syslog facilities as arguments
# DAEMON = facility; ALERT = priority at man syslog.conf(5)
#
output alert_syslog: LOG_DAEMON LOG_ALERT

And in /etc/syslog.conf I have:

daemon.*          /var/log/daemon

and:

*.info;*.notice;*.warn;\
     mail.none;news.none;authpriv.none     /var/log/messages

Messages appear specifically in /var/log/messages and /var/log/daemon

And messages are picked up out of those by Psionic's logcheck and mailed 
to me on several boxen..

snort command line:

snort -b -i ppp0 -c /usr/local/snort-1.7/snort.conf &

HTH..

- John

--
John Sage
FinchHaven, Vashon Island, WA, USA
http://www.finchhaven.com/
mailto:jsage () finchhaven com
"The web is so, like, five minutes ago..."

Michael J Clark wrote:

> Hey guys,
>
> Im sure this is an easy question but its been giving me trouble for a while.
>
> I can't seem to get anything to log to syslog.  Logging is fine in the 
> directories (Im using 1.7).
>
> This is the command line:  snort -i eth1 -D -s -l /var/log/snort
>
> in snort.conf Ive tried output: alert_syslog: LOG_AUTH LOG_INFO
>
> I have also tried without that and still nothing.  Im testing with the rule
>
> alert any any any <> any any (msg: "STUFF: ";)
>
>
> I'd like to see the alerts go to /var/log/messages.  My syslog.conf looks 
> to be ok.  Haven't changed it from the default (rh 7.1).
>
> Please reply to my address as well (I use digests).  Thanks
>
>
> Mike


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users