Snort log priority setting
-
I am trying to change Snort logs priority from log_alert to log_err on my pfSense system. I found snort.conf and then I found the interface specific versions, changed it in there and then recycled each interface, to find that the setting was overwritten from Snort's config.xml. So I changed <alertsystemlog_priority>log_alert</alertsystemlog_priority> to <alertsystemlog_priority>log_err</alertsystemlog_priority> in config.xml and recycled each interface and that seemed to work, but now something is changing the setting back to log_alert in config.xml. I can't see any documentation online for where to look next. Any ideas?
What would be ideal would be for the log priority to be surfaced in the pfSense GUI, but I don't think it is there.
Thanks for you help.
-
There is a drop-down selector on the INTERFACE SETTINGS tab of the interface for choosing the syslog priority for Snort logging. That drop-down is hidden until you check the checkbox for syslog logging of alerts. You should make your changes there if you want them to be persistent.
Never edit files directlly on the filesystem as those are usually recreated from scratch each time you save a config change in the GUI or the operating system sends a "sync all packages" command to installed packages. The resync will overwrite any previous direct user edits on the filesystem.
-
@bmeeks How did I miss that? Thanks very much.
