Forums

Subscribe via email Subscribe via email
Subscribe via rss
Guest
or Ask a Question
Add a reply View Replies (2) →
Nick Howitt
Nick Howitt
Offline

[Bug] Duplicate Snort logging since 6.5

Resolved
0 votes
I've just noticed log files /var/log/snort/syslog (and their rotated copies) which are new since 6.5 was released. They contain an exact duplicate of the snort entries in /var/log/messages from when snort starts up and this is wrong to me. The cause appears to be a new file, /etc/rsyslog.d/snort.conf, which sends the messages to the new file. This file is missing a last line:
& ~
which would stop the logs then going to /var/log/messages. If in doubt, see /etc/rsyslog.d/ipsec.conf for how it should be done.

When I get time this afternoon I'll raise a bug report.
In Intrusion Detection and Prevention
Friday, January 10 2014, 09:19 AM
Subscribe via email
Share this post:
Responses (2)

  • Accepted Answer

    Nick Howitt
    Nick Howitt
    Offline
    Friday, January 10 2014, 06:35 PM - #Permalink
    Resolved
    0 votes
    I've reported the bug 1511 but it seems to be heavily related to bugs 1263 and 1264 where it appears the intention is to kill the logging into /var/log/snort/syslog, but the target version for the fix is 7.0 alpha :(
    The reply is currently minimized Show

  • Accepted Answer

    Tim Burgess
    Tim Burgess
    Offline
    Friday, January 10 2014, 01:32 PM - #Permalink
    Resolved
    0 votes
    Well spotted, looks like it should go under the app-intrusion-detection-core package :)
    [root@leonardo ~]# rpm -qf /etc/rsyslog.d/snort.conf
    app-intrusion-detection-core-1.5.15-1.v6.noarch
    The reply is currently minimized Show
Your Reply