[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: #124169: snort: Lack of logging to /var/log/secure in default setup & log permissions

(note: there was no reason to crosspost this to debian-security.  Please
read the mailing list code of conduct at

On Sat, Feb 02, 2002 at 07:30:15PM +1100, Andrew Lau wrote:

> Dear Robert,
> 	I currently have an ITP to razorback
> <http://www.intersectalliance.com/projects/RazorBack/> which is a
> GNOME front-end to snort. Razorback requires access to /var/log/secure
> in order to provide real time monitoring of snort's status. After
> reading the documentation to snort it would seem that snort is meant
> to log by default to /var/log/secure as enabled by -s in the man page
> and the option you specified in /etc/snort/snort.conf:
>        -s     Send alert messages to  syslog.   On  Linux  boxen,
>               they will appear in /var/log/secure, /var/log/messages
> 	      on many other platforms.
> However this file doesn't exist or logged to even if the file is
> created by hand.

The -s option means just what it says; it sends alert messages to syslog.
Where they end up depends entirely on the syslog configuration, and has
nothing to do with snort.  The statement about /var/log/secure contains a
tacit assumption about how syslog is configured (I'm guessing that some
Linux distribution(s) have such a logfile by default).  With Debian's
default syslog configuration, such things end up in /var/log/auth.log.

Part of your job in packaging razorback is to integrate it with the Debian

> 	My other concern is that as the logs under /var/log/snort/
> belong to snort.snort but are being set to 400. [...]

I see no problem with allowing group snort to read the logfiles.
Unfortunately, there are more important problems with snort at the moment,
so when the maintainer has time, he still may not be able to process your

 - mdz

Reply to: