Re: Is snort-stat and 5snort really broken in sid?
On 12.09.2001 at 12:24:59, <sjk@dredel.com> wrote:
> What version are you using??
Version 1.8-RELEASE (Build 43)
> make sure the following line is in your snort.conf -- I think the debian
> equiv is snort-lib:
>
> output alert_syslog: LOG_AUTH
I've uncommented this line in my snort.conf. I'm guessing it's synonymous with
the -s option, so I've stopped invoking snort from /etc/ip-up.d/snort with that
flag. It doesn't seem to log to /var/log/snort/alert any more but it is logging
to /var/log/auth.log
The problem now would appear to be the log format has changed, but snort-stat
hasn't changed since version 1.7
> --sjk
>
> On 12 Sep, Andrew Pollock wrote:
> > Hi,
> >
> > I've always had problems with 5snort killing snort daily when snort's
running in
> > dialup mode (I fixed that by commenting out the restart line) but I'm not
> > getting anything in the daily notification emails either.
> >
> > /etc/ppp/ip-up.d/snort doesn't start snort with -s, so nothing goes into
> > /var/log/auth.log, everything goes into /var/log/snort/alert
> >
> > /etc/cron.daily/5snort doesn't read this particular file, it only looks at
> > auth.log
> >
> > Even if I run snort-stat manually on auth.log (after I've made snort start
with
> > -s) it doesn't return anything when there are alerts in the log.
> >
> > Any suggestions appreciated, I'd like to get daily summary emails.
> >
> > Andrew
> >
> >
>
> --
> -------- Aude Sepere -------
> sjk@dredel.com
> ---- Audax et Cautus -------
>
>
Reply to: