I too have been bitten by this issue, but for the life of me, I cannot find
any reference for the log_ascii output plugin in the Snort docs:

http://www.snort.org/docs/SnortUsersManual.pdf

Is this something that is undocumented?

- Christopher

-----Original Message-----
Date: Fri, 29 Nov 2002 11:04:03 -0500
From: "Andrew R. Baker" <andrewbsnort.org>
To: Peter Schobel <drifterzenfinity.com>
CC: snort-userslists.sourceforge.net
Subject: Re: [Snort-users] alert_full won't create subdirectories for ip
addresses
 when mysql logging is enabled

Peter Schobel wrote:
> I have been searching the lists and have found a few posts on this problem
but
> couldn't find any posts that described a resolution
>
> I am using
>
> output alert_full
>
> output alert_syslog: LOG_AUTH LOG_ALERT
>
> and
>
> output database: log, mysql, user=user password=pass dbname=snortlogs
> host=localhost
>
> as soon as I turn on the database output, the ip address subdirectories in

> /var/log/snort are not created, when the database logging is disabled,
> functionality returns to normal
>
> I am starting snort with
>
> daemon /usr/sbin/snort-mysql -l /var/log/snort -D -p\
> -i $INTERFACE -c /etc/snort/snort.conf

If you are looking for the sub-directory output, you need to enable the
log_ascii output plugin. The reason you see them when you have the
database output plugin disabled is because log_ascii is the default
packet logging mechanism.

-A

-------------------------------------------------------
This SF.net email is sponsored by: Get the new Palm Tungsten T
handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]