Dear Matt, First of all, apologies for the cross-posting to security. My bad. On Sat, Feb 02, 2002 at 04:00:19AM -0500, Matt Zimmerman wrote: > The -s option means just what it says; it sends alert messages to syslog. > Where they end up depends entirely on the syslog configuration, and has > nothing to do with snort. The statement about /var/log/secure contains a > tacit assumption about how syslog is configured (I'm guessing that some > Linux distribution(s) have such a logfile by default). With Debian's > default syslog configuration, such things end up in /var/log/auth.log. Yes, at first I suspected that syslog in Debian's default configuration was just logging it to another file. However, as far as I can determine, snort (or perhaps syslog) does not log anything to any file under /var/log/ (including auth.log). I have nmapped myself several times and then proceeded to grep all my logs for snort which revealed that incident weren't being written into any log file by syslog. I simply do not know if syslog is actually receiving any messages from snort at all or if syslog is just not properly configured in a manner such that it will forward alerts into a single log file. Snort does however record individual logs into /var/log/snort/ for each incident, but that does not aid me at all because razorback can only interact with a single syslog-written file. > Part of your job in packaging razorback is to integrate it with the > Debian system. Of course I am trying to do that, but I have reached the point where I do not have enough experience with syslog and/or snort to let me determine why snort is not interacting with syslog the way I am expecting it to or as pointed out in the documentation. That is why I'm asking for fellow readers who probably know more about snort and/or syslog for help in pointing out what I have failed to notice so far. Yours sincerely, Andrew "Netsnipe" Lau -- --------------------------------------------------------------------------- * Andrew 'Netsnipe' Lau DebianPlanet.org Editor & Comp.Sci, UNSW * * "apt-get into it" Debian GNU/Linux New Maintainer * * <netsnipe @/ debianplanet.org> <awhl435 @/ cse.unsw. edu.au> * * PGP: 1024D/2E8B68BD: 0B77 73D0 4F3B F286 63F1 9F4A 9B24 C07D 2E8B 68BD * ---------------------------------------------------------------------------
Attachment:
pgpt8t9EK5XNa.pgp
Description: PGP signature