Snort mailing list archives
RE: Alert OR syslog?
From: "Don" <Don () WeberOnTheWeb com>
Date: Thu, 5 Dec 2002 11:36:53 -0800
RE: [Snort-users] Alert OR syslog?umm, with -s you need to put in the syslog server address, so would become /usr/local/bin/snort -c /etc/snort/snort.conf -I -A full -s blame_cmg -i rl0 would become /usr/local/bin/snort -c /etc/snort/snort.conf -I -A full -s 192.168.0.2:514 -i rl0 or you would put your syslog server IP addy there with the listening tcp port number, works for me. for some reason its always required me to put in the port number, Don -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Weiss, Jeffrey H. Sent: Thursday, December 05, 2002 9:57 AM To: 'Alberto Gonzalez' Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] Alert OR syslog? Hi, Alberto, Thanks for your response. Reasons for 3 types of logging (may not be good reasons): 1. Binary format allows analysis tools be leveraged (snortsnarf). 2. Alert log provides local easily perused/tailed indicator of nasties and falsies. 3. Syslog entries can be directed off-server to a remote central logging server. I could work without the alert log but don't understand why enabling syslog disables it. Not sure I understand your blame_cmg...new flag? Thanks, Jeffrey -----Original Message----- From: Alberto Gonzalez [mailto:albertg () cerebro violating us] Sent: Thursday, December 05, 2002 2:00 PM Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Alert OR syslog? In your command line, your doing binary logging (-b), full logging (-A full) and syslog (-s). I haven't tried todo both syslog and FULL (waste of time?). When I run it with the following command snort seems to run fine: /usr/local/bin/snort -c /etc/snort/snort.conf -I -A full -s blame_cmg -i rl0 So give that a try, im not sure why someone wants 3 logging mechanisms, but hey! Cheers! - Alberto (sorry cmg for the syslog part :-)) <grin> Weiss, Jeffrey H. wrote: > I am wondering why I cannot get both an alert log written AND > syslogging to occur. > > My command line invocation: > snort -b -c /usr/local/etc/snort/snort.conf -I -A full -l > /logs/UA/snort -s -i qfe0 > > Pertinent snort.conf(?): > output alert_syslog: LOG_ALERT > > Is there something too obvious here? > Thanks! > Jeffrey Weiss > -- The secret to success is to start from scratch and keep on scratching. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Alert OR syslog? Weiss, Jeffrey H. (Dec 05)
- Re: Alert OR syslog? Alberto Gonzalez (Dec 05)
- <Possible follow-ups>
- RE: Alert OR syslog? Weiss, Jeffrey H. (Dec 05)
- RE: Alert OR syslog? Don (Dec 05)
- RE: Alert OR syslog? Don (Dec 05)
- RE: Alert OR syslog? Don (Dec 05)
- RE: Alert OR syslog? Steve Halligan (Dec 05)
- RE: Alert OR syslog? Weiss, Jeffrey H. (Dec 05)
- Re: Alert OR syslog? Alberto Gonzalez (Dec 05)
- RE: Alert OR syslog? Weiss, Jeffrey H. (Dec 05)
- RE: Alert OR syslog? L. Christopher Luther (Dec 06)
- Re: RE: Alert OR syslog? Erek Adams (Dec 06)