|
|
|
|
Snort Forums Archive
Archive Home » BSD » Snort and syslog on FBSD6.2R
Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.
[ Notice: Full Version of This Topic ]
Snort and syslog on FBSD6.2R
Posted by uncwed on July 16, 2007 10:18:50
Having problems with syslog and snort. Have tried:
output alert_syslog: LOG_LOCAL3 LOG_ALERT
&
output alert_syslog: LOG_LOCAL3
in snort.conf
with:
local3.* /var/log/snort/snort.log
&
local3.alert /var/log/snort/snort.log
in syslog.conf
have also chmod 600 /var/log/snort.log and despite all this snort will not log to /var/log/snort/snort.log
I have verified that snort is logging to syslog, but it is logging to auth. I cannot find any config that specifies this. I have also verified that snort is logging to the file I specify when I use the alert_fast option.
The startup flags in rc.conf are the default -Dq (Daemon, quiet)
Snort was installed from the ports collection. v 2.6.1.5
If anyone has the answer to this or think they may be able to help, that'd be appreciated. Is there a way I can test logging to local3 manually to narrow down the problem?
Thanks in advance! |
|
Posted by iana on September 10, 2007 04:40:29
For only specific facilities, you need to add a "@servername" rather than a logging location such as "/var/log/logname"
-------------------
[url=http://www.softsea.com/]software review[/url] |
|
Posted by iana on September 10, 2007 04:42:30
Here's a snippet of my /etc/syslog.conf file:
local1; local1.* @192.168.0.101
And one more thing, the remote syslog server needs to be accepting remote connections. I think you need to use the "-r" switch with the syslog daemon. Once I did that, it all worked fine.
-------------------
software review |
|
|
|
|
|
