[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: #124169: snort: Lack of logging to /var/log/secure in default setup & log permissions

On Sun, Feb 03, 2002 at 09:04:31PM +1100, Andrew Lau wrote:

> On Sat, Feb 02, 2002 at 04:02:56PM -0500, Matt Zimmerman wrote:
> > I think what you are asking is for a line like this to be added to
> > /etc/snort/snort.conf by default:
> >
> > output alert_syslog: LOG_AUTH LOG_ALERT
> >
> > By default, there don't seem to be any output plugins selected.
> > Personally, I use a line like the above.
> Yes this is what I would like to be the Debian default in snort. Does
> enabling this option actually work on your box? However, as I stated
> in my first email to debian-devel, I have tried this option already
> and so far have not seen a single snort related incident being
> reported in auth.log despite portscanning myself several times both
> locally and remotely. So is there a bug in snort's syslog notification
> capabilities?

Yes, it works fine here.

auth.log.1.gz:Feb  3 04:18:34 mizar snort: spp_portscan: PORTSCAN DETECTED to port 6112 from (STEALTH)

Did you restart snort after making this change?  Which syslog daemon are you
using, and have you modified the syslog configuration at all?

 - mdz

Reply to: