Re: #124169: snort: Lack of logging to /var/log/secure in default setup & log permissions

To: debian-devel@lists.debian.org
Cc: mdz@debian.org
Subject: Re: #124169: snort: Lack of logging to /var/log/secure in default setup & log permissions
From: Andrew Lau <netsnipe@debianplanet.org>
Date: Sat, 2 Feb 2002 20:33:53 +1100
Message-id: <[🔎] 20020202093353.GA13240@debianplanet.org>
In-reply-to: <[🔎] 20020202090019.GK29655@alcor.net>
References: <[🔎] 20020202083015.GA10937@debianplanet.org> <[🔎] 20020202090019.GK29655@alcor.net>

Dear Matt,
	First of all, apologies for the cross-posting to security. My
bad.

On Sat, Feb 02, 2002 at 04:00:19AM -0500, Matt Zimmerman wrote:
> The -s option means just what it says; it sends alert messages to syslog.
> Where they end up depends entirely on the syslog configuration, and has
> nothing to do with snort.  The statement about /var/log/secure contains a
> tacit assumption about how syslog is configured (I'm guessing that some
> Linux distribution(s) have such a logfile by default).  With Debian's
> default syslog configuration, such things end up in /var/log/auth.log.

	Yes, at first I suspected that syslog in Debian's default
configuration was just logging it to another file. However, as far as
I can determine, snort (or perhaps syslog) does not log anything to
any file under /var/log/ (including auth.log). I have nmapped myself
several times and then proceeded to grep all my logs for snort which
revealed that incident weren't being written into any log file by
syslog. I simply do not know if syslog is actually receiving any
messages from snort at all or if syslog is just not properly
configured in a manner such that it will forward alerts into a single
log file. Snort does however record individual logs into
/var/log/snort/ for each incident, but that does not aid me at all
because razorback can only interact with a single syslog-written file.

> Part of your job in packaging razorback is to integrate it with the
> Debian system.
	
	Of course I am trying to do that, but I have reached the point
where I do not have enough experience with syslog and/or snort to let
me determine why snort is not interacting with syslog the way I am
expecting it to or as pointed out in the documentation. That is why
I'm asking for fellow readers who probably know more about snort
and/or syslog for help in pointing out what I have failed to notice so
far.

Yours sincerely,
Andrew "Netsnipe" Lau

-- 
---------------------------------------------------------------------------
* Andrew 'Netsnipe' Lau          DebianPlanet.org Editor & Comp.Sci, UNSW *
*   "apt-get into it"                     Debian GNU/Linux New Maintainer *
*     <netsnipe @/ debianplanet.org>    <awhl435 @/ cse.unsw. edu.au>     * 
* PGP: 1024D/2E8B68BD: 0B77 73D0 4F3B F286 63F1  9F4A 9B24 C07D 2E8B 68BD *
---------------------------------------------------------------------------

Attachment: pgpt8t9EK5XNa.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: #124169: snort: Lack of logging to /var/log/secure in default setup & log permissions
  - From: Matt Zimmerman <mdz@debian.org>

References:
- #124169: snort: Lack of logging to /var/log/secure in default setup & log permissions
  - From: Andrew Lau <netsnipe@debianplanet.org>
- Re: #124169: snort: Lack of logging to /var/log/secure in default setup & log permissions
  - From: Matt Zimmerman <mdz@debian.org>

Prev by Date: Re: splitting xpdf and copyright problems
Next by Date: Re: Proposal: Why not use testing-proposed-updates?
Previous by thread: Re: #124169: snort: Lack of logging to /var/log/secure in default setup & log permissions
Next by thread: Re: #124169: snort: Lack of logging to /var/log/secure in default setup & log permissions
Index(es):
- Date
- Thread