Hello David Sir,
Thanks for the quick reply.
I am getting one log per minute and rate of logging is reduced at
great extent.
> so you are getting some snort logs and not others on the central
> server, correct?
>
I am getting snort daemon logs; but I need *snort rule alerts log*;
I am also getting other components log in good format as well.
> what do these logs look like on the client? (a sample of good and
> bad logs)
Both logs are same on the client and server.
For ex,
Oct 11 14:14:14 clc euca-cc: instances: 0000 (0000 extant + 0000 pending
+ 0000 terminated)
Oct 11 14:14:14 clc euca-cc: nodes: 0001 (0000 busy + 0001 idle +
0000 unresponsive)
is present in same format both on server as well as client.
The thing I found strange is :
*On client machine(snort installed), *
location: /var/log/messages
I am getting logs as *http://fpaste.org/46026/*
in which euca-cc messages and snort rule alert messages are getting
logged
*On log server machine,*
Only euca-cc messages are getting logged but snort rule alert message
gets dropped at same timestamp 12:44:44,
I want to log snort alert into syslog.
The difference I observed is: http://fpaste.org/46029
I think this is what you called bad log samples :)
Seeking for guidance,
Thanks !
*
--
*
*Cheers,
mayur*
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
