On Fri, 11 Oct 2013, Mayur Patil wrote:
Thanks for the quick reply.I am getting one log per minute and rate of logging is reduced at great extent.
exactly one log per minute? that sounds like a problem with processing the logs somehow.
I'll look into this more tomorrow. David Lang
so you are getting some snort logs and not others on the central server, correct?I am getting snort daemon logs; but I need *snort rule alerts log*; I am also getting other components log in good format as well.what do these logs look like on the client? (a sample of good and bad logs)Both logs are same on the client and server. For ex, Oct 11 14:14:14 clc euca-cc: instances: 0000 (0000 extant + 0000 pending + 0000 terminated) Oct 11 14:14:14 clc euca-cc: nodes: 0001 (0000 busy + 0001 idle + 0000 unresponsive) is present in same format both on server as well as client. The thing I found strange is : *On client machine(snort installed), * location: /var/log/messages I am getting logs as *http://fpaste.org/46026/* in which euca-cc messages and snort rule alert messages are getting logged *On log server machine,* Only euca-cc messages are getting logged but snort rule alert message gets dropped at same timestamp 12:44:44, I want to log snort alert into syslog. The difference I observed is: http://fpaste.org/46029 I think this is what you called bad log samples :) Seeking for guidance, Thanks ! * -- * *Cheers, mayur*
_______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
