Snort Logs?

[JockVSJock]

Running RH7.3 and got Snort up and running and I'm wondering now where am I suppost to log this info to? Or how does it happen?

Does Snort come with some sort of default log that gets written too, or do I have to go into /etc/syslog.conf and add some sort of line so this info gets written to /var/log/snort?

Code:

 
# Path to write Snort into to

snort.*

thanks

[IchNiSan]

Hmm, I know I had snort logging to a file once, I forget how I did it, maybe it was automatic.

I think I had to make a snort directory in /var/log and then it logged to there. Alternatively, what I do now when I set it up is use MySQL. Here is a link to a great document from the snort.org site about how to set snort up with MySQL, and ACID on Redhat.

http://www.snort.org/docs/snort-rh7-mysql-ACID-1-5.pdf

[slarty]

AFAIK, with the out-of-the-box configuration it writes to /var/log/snort/fast.log plus logs each packet that triggers an alert into appropriate subdirectories in /var/log/snort by IP number.

It is configurable. You can have several logs for different types of events.

It is also perhaps desirable to disable packet logging as it eats inodes quickly for a busy networks (The network I was monitoring saw hundreds of attacks per day, using thousands of packets)

[JockVSJock]

Hmm, I know I had snort logging to a file once, I forget how I did it, maybe it was automatic.

I think I had to make a snort directory in /var/log and then it logged to there. Alternatively, what I do now when I set it up is use MySQL. Here is a link to a great document from the snort.org site about how to set snort up with MySQL, and ACID on Redhat.

http://www.snort.org/docs/snort-rh7-mysql-ACID-1-5.pdf

Kewl. Thanks for the URL for the pdf, I've read thru it and it has alot of the info. that I am looking for.