Snort mailing list archives

RE: Alert OR syslog?

From: "Don" <Don () WeberOnTheWeb com>
Date: Thu, 5 Dec 2002 11:36:53 -0800

RE: [Snort-users] Alert OR syslog?umm, with -s you need to put in the syslog
server address, so would become
/usr/local/bin/snort -c /etc/snort/snort.conf -I -A full -s blame_cmg -i rl0
would become
/usr/local/bin/snort -c /etc/snort/snort.conf -I -A full -s
192.168.0.2:514 -i rl0

or you would put your syslog server IP addy there with the listening tcp
port number, works for me. for some reason its always required me to put in
the port number,

Don

  -----Original Message-----
  From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Weiss, Jeffrey
H.
  Sent: Thursday, December 05, 2002 9:57 AM
  To: 'Alberto Gonzalez'
  Cc: snort-users () lists sourceforge net
  Subject: RE: [Snort-users] Alert OR syslog?

  Hi, Alberto,
  Thanks for your response.
  Reasons for 3 types of logging (may not be good reasons):
  1. Binary format allows analysis tools be leveraged (snortsnarf).
  2. Alert log provides local easily perused/tailed indicator of nasties and
falsies.
  3. Syslog entries can be directed off-server to a remote central logging
server.
  I could work without the alert log but don't understand why enabling
syslog disables it.

  Not sure I understand your blame_cmg...new flag?
  Thanks,
  Jeffrey

  -----Original Message-----
  From: Alberto Gonzalez [mailto:albertg () cerebro violating us]
  Sent: Thursday, December 05, 2002 2:00 PM
  Cc: snort-users () lists sourceforge net
  Subject: Re: [Snort-users] Alert OR syslog?

  In your command line, your doing binary logging (-b), full logging (-A
  full) and syslog (-s).
  I haven't tried todo both syslog and FULL (waste of time?).

  When I run it with the following command snort seems to run fine:

  /usr/local/bin/snort -c /etc/snort/snort.conf -I -A full -s blame_cmg -i
rl0

  So give that a try, im not sure why someone wants 3 logging mechanisms,
  but hey!

  Cheers!

     - Alberto

  (sorry cmg for the syslog part :-)) <grin>

  Weiss, Jeffrey H. wrote:

  > I am wondering why I cannot get both an alert log written AND
  > syslogging to occur.
  >
  > My command line invocation:
  > snort -b -c /usr/local/etc/snort/snort.conf -I -A full -l
  > /logs/UA/snort -s -i qfe0
  >
  > Pertinent snort.conf(?):
  > output alert_syslog: LOG_ALERT
  >
  > Is there something too obvious here?
  > Thanks!
  > Jeffrey Weiss
  >

  --
  The secret to success is to start from scratch and keep on scratching.

  -------------------------------------------------------
  This sf.net email is sponsored by:ThinkGeek
  Welcome to geek heaven.
  http://thinkgeek.com/sf
  _______________________________________________
  Snort-users mailing list
  Snort-users () lists sourceforge net
  Go to this URL to change user options or unsubscribe:
  https://lists.sourceforge.net/lists/listinfo/snort-users
  Snort-users list archive:
  http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Alert OR syslog? Weiss, Jeffrey H. (Dec 05)
- Re: Alert OR syslog? Alberto Gonzalez (Dec 05)
- <Possible follow-ups>
- RE: Alert OR syslog? Weiss, Jeffrey H. (Dec 05)
  - RE: Alert OR syslog? Don (Dec 05)
    - RE: Alert OR syslog? Don (Dec 05)
- RE: Alert OR syslog? Steve Halligan (Dec 05)
- RE: Alert OR syslog? Weiss, Jeffrey H. (Dec 05)
  - Re: Alert OR syslog? Alberto Gonzalez (Dec 05)
- RE: Alert OR syslog? Weiss, Jeffrey H. (Dec 05)
- RE: Alert OR syslog? L. Christopher Luther (Dec 06)
  - Re: RE: Alert OR syslog? Erek Adams (Dec 06)