Snort alert logging
-
Hello!
Running 2.4.5-RELEASE-p1 with snort 4.1.2_3
Snort auto log management is enabled
The alert log thresholds are set to 500kb and 14 daysI have a wan interface that generates a good number of alerts. Sometimes, when I go to view the alerts for that interface, the list is empty, which seems odd.
When I look at the /var/log/snort/snort_igb0xxxx directory I see :
-rw------- 1 root wheel 702536 Jan 19 14:55 alert.1611018900 -rw-r--r-- 1 root wheel 0 Jan 18 19:15 alert -rw-r--r-- 1 root wheel 511900 Jan 16 21:16 alert.1610853438 -rw------- 1 root wheel 687866 Jan 11 21:40 alert.1610357400 -rw-r--r-- 1 root wheel 282150 Jan 8 23:58 alert.1609890932 -rw------- 1 root wheel 842750 Jan 5 17:55 alert.1609676100
The active alert log is empty. Snort has been rotating the logs, but it appears that for some reason it is continuing to log alerts into the last rotated file (alert.1611018900) instead of the alert log file used by the gui. Viewing the last rotated log file verifies this.
Am I looking that this the right way or maybe missing something?
John
-
@serbus said in Snort alert logging:
Hello!
Running 2.4.5-RELEASE-p1 with snort 4.1.2_3
Snort auto log management is enabled
The alert log thresholds are set to 500kb and 14 daysI have a wan interface that generates a good number of alerts. Sometimes, when I go to view the alerts for that interface, the list is empty, which seems odd.
When I look at the /var/log/snort/snort_igb0xxxx directory I see :
-rw------- 1 root wheel 702536 Jan 19 14:55 alert.1611018900 -rw-r--r-- 1 root wheel 0 Jan 18 19:15 alert -rw-r--r-- 1 root wheel 511900 Jan 16 21:16 alert.1610853438 -rw------- 1 root wheel 687866 Jan 11 21:40 alert.1610357400 -rw-r--r-- 1 root wheel 282150 Jan 8 23:58 alert.1609890932 -rw------- 1 root wheel 842750 Jan 5 17:55 alert.1609676100
The active alert log is empty. Snort has been rotating the logs, but it appears that for some reason it is continuing to log alerts into the last rotated file (alert.1611018900) instead of the alert log file used by the gui. Viewing the last rotated log file verifies this.
Am I looking that this the right way or maybe missing something?
John
The log rotation logic is supposed to send Snort a soft restart command so that it resyncs the logs. Apparently that is not happening in your case. I have not seen this on my box, but it may be for two reasons. I have a low incidence of alerts on my home network, and the rules update job usually restarts Snort several times a week as the rules update. That will cause the log file resync.
Looking at the code I see a potential "miss" with sending that log resync soft restart command. I will fix that in an upcoming release of Snort. In the meantime, stop and restart Snort on your interface (or interfaces) and that will reset the "active" alert log so that alerts showing on the ALERTS tab. The GUI code only parses the
alert
file when populating the ALERTS tab. It does not go into the rotated files. So with your zero-length file, the GUI code sees no alerts to display. -
Hello!
Thanks for looking into this so quickly!
The manual restart did the job.
John