Snort logs in Status -> System Logs -> Authentication -> General

NogBadTheBad · Jun 22, 2021, 7:45 AM

Should they be here ?

TBH I never really look in the Authentication -> General section and noticed them earlier today.

bmeeks · Jun 22, 2021, 2:20 PM

Does all Snort alerts syslog traffic get logged there, or just those particular rules alerts? You control the log level used by Snort when logging to syslog on the INTERFACE SETTINGS tab for the particular Snort interface.

NogBadTheBad · Jun 22, 2021, 2:46 PM

@bmeeks All set to the defaults, apart from logging u2 VLAN events for the LAN.

They also seem to be in Status -> System Logs -> System -> General, where I'd expect them to be.

WAN:-

LAN:-

bmeeks · Jun 22, 2021, 2:53 PM

The System Log Facility setting controls "where" the entries are logged. Or more accurately, what "tag" they are given in syslog. So with the default of LOG_AUTH, those alerts are going to be given that tag, so when filtering in pfSense's system log, they will show up that way. The "General" view in pfSense grabs everything (if I recall) regardless of the "tag" it was given when logged. But those other tabs do let you filter by the facility tag.