Re: #124169: snort: Lack of logging to /var/log/secure in default setup & log permissions
On Sat, Feb 02, 2002 at 08:33:53PM +1100, Andrew Lau wrote:
> Yes, at first I suspected that syslog in Debian's default
> configuration was just logging it to another file. However, as far as
> I can determine, snort (or perhaps syslog) does not log anything to
> any file under /var/log/ (including auth.log). I have nmapped myself
> several times and then proceeded to grep all my logs for snort which
> revealed that incident weren't being written into any log file by
> syslog. I simply do not know if syslog is actually receiving any
> messages from snort at all or if syslog is just not properly
> configured in a manner such that it will forward alerts into a single
> log file.
I think what you are asking is for a line like this to be added to
/etc/snort/snort.conf by default:
output alert_syslog: LOG_AUTH LOG_ALERT
By default, there don't seem to be any output plugins selected. Personally,
I use a line like the above.
So why not ask the snort maintainer for this? It is not clear from #124169
that this is what you want.
> Snort does however record individual logs into /var/log/snort/ for each
> incident, but that does not aid me at all because razorback can only
> interact with a single syslog-written file.
These files written to /var/log/snort are actually packet captures. Can
razorback actually read and interpret these files in some meaningful way?
If not, nix the part of your bug report where you ask for their permissions
to be changed. These files can contain arbitrary network data, which means
that they could be very security-sensitive. Other programs should only be
permitted to read them if they have good reason.