[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: #124169: snort: Lack of logging to /var/log/secure in default setup & log permissions



Dear Matt,
	First of all, apologies for the cross-posting to security. My
bad.

On Sat, Feb 02, 2002 at 04:00:19AM -0500, Matt Zimmerman wrote:
> The -s option means just what it says; it sends alert messages to syslog.
> Where they end up depends entirely on the syslog configuration, and has
> nothing to do with snort.  The statement about /var/log/secure contains a
> tacit assumption about how syslog is configured (I'm guessing that some
> Linux distribution(s) have such a logfile by default).  With Debian's
> default syslog configuration, such things end up in /var/log/auth.log.

	Yes, at first I suspected that syslog in Debian's default
configuration was just logging it to another file. However, as far as
I can determine, snort (or perhaps syslog) does not log anything to
any file under /var/log/ (including auth.log). I have nmapped myself
several times and then proceeded to grep all my logs for snort which
revealed that incident weren't being written into any log file by
syslog. I simply do not know if syslog is actually receiving any
messages from snort at all or if syslog is just not properly
configured in a manner such that it will forward alerts into a single
log file. Snort does however record individual logs into
/var/log/snort/ for each incident, but that does not aid me at all
because razorback can only interact with a single syslog-written file.

> Part of your job in packaging razorback is to integrate it with the
> Debian system.
	
	Of course I am trying to do that, but I have reached the point
where I do not have enough experience with syslog and/or snort to let
me determine why snort is not interacting with syslog the way I am
expecting it to or as pointed out in the documentation. That is why
I'm asking for fellow readers who probably know more about snort
and/or syslog for help in pointing out what I have failed to notice so
far.

Yours sincerely,
Andrew "Netsnipe" Lau

-- 
---------------------------------------------------------------------------
* Andrew 'Netsnipe' Lau          DebianPlanet.org Editor & Comp.Sci, UNSW *
*   "apt-get into it"                     Debian GNU/Linux New Maintainer *
*     <netsnipe @/ debianplanet.org>    <awhl435 @/ cse.unsw. edu.au>     * 
* PGP: 1024D/2E8B68BD: 0B77 73D0 4F3B F286 63F1  9F4A 9B24 C07D 2E8B 68BD *
---------------------------------------------------------------------------

Attachment: pgpMWUEwMLf6Y.pgp
Description: PGP signature


Reply to: