On Friday 06 May 2005 03:29 pm, hackhound wrote: > I installed snort the other day, and now I am getting an email daily > from the Cron Daemon with the following two lines: > > error: error accessing /var/log/snort/*: No such file or directory > error: snort:4 glob failed for /var/log/snort/*/*log > > /var/log/snort/ does exist, and there are several log files within. > There is one called 'alert', and there are several called > 'snort.log.1115074580' or similar. So, I have no idea why I am > getting this email, nor what to do to stop it from occuring.
In your /etc/logrotate.d directory is a file called cron that contains the logrotation information for your system. IIRC, it tries to find timestamped files for logs and rotate them. I don't think that part works very well. You should be altering the snort configuration to log everything to a single log file called /var/log/snort/snort.log or something like that. You can find the default configuration in /etc/sysconfig/snort. Personally, I found that snort, in the out of the RPM configuration was practically worthless. It didn't parse html requests, the rule sets were as likely to generate false alarms as real intrusion attempts, and the log files were worthless without some type of parsing agent to point out the real attacks. I ended up turning on the mysql database functionality, altering snort to log to the database, installing ACID and generally reconfiguring snort to actually be useful. -- Bryan Phinney
____________________________________________________ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com ____________________________________________________
