Re: #124169: snort: Lack of logging to /var/log/secure in default setup & log permissions
On Sun, Feb 03, 2002 at 09:04:31PM +1100, Andrew Lau wrote:
> On Sat, Feb 02, 2002 at 04:02:56PM -0500, Matt Zimmerman wrote:
> > I think what you are asking is for a line like this to be added to
> > /etc/snort/snort.conf by default:
> > output alert_syslog: LOG_AUTH LOG_ALERT
> > By default, there don't seem to be any output plugins selected.
> > Personally, I use a line like the above.
> Yes this is what I would like to be the Debian default in snort. Does
> enabling this option actually work on your box? However, as I stated
> in my first email to debian-devel, I have tried this option already
> and so far have not seen a single snort related incident being
> reported in auth.log despite portscanning myself several times both
> locally and remotely. So is there a bug in snort's syslog notification
Yes, it works fine here.
auth.log.1.gz:Feb 3 04:18:34 mizar snort: spp_portscan: PORTSCAN DETECTED to port 6112 from 126.96.36.199 (STEALTH)
Did you restart snort after making this change? Which syslog daemon are you
using, and have you modified the syslog configuration at all?