Hi Brian,
Existing snort loggers don’t have functionality to separate entries by event type, if you’d like to have this behavior with any of them you could try logging all the
events into a single file and managing it with some external script.
Alternatively, you could take a look at this lua logger example from snort3_extra:
https://github.com/snort3/snort3_extra/blob/master/src/loggers/alert_lua/alert.lua
With this you can implement your own steps during eventing, including file separation by event type.
Hope this can be of use.
Regards,
Andrii
From:
Snort-users <snort-users-bounces@lists.snort.org> on behalf of Brian Jameson via Snort-users <snort-users@lists.snort.org>
Date: Thursday, 17 October 2024 at 17:17
To: snort-users@lists.snort.org <snort-users@lists.snort.org>
Subject: [Snort-users] Snort3 logger of action type 'alert' and 'log'
I have returned to snort after several years and am trying to get to
know snort3. I have 'alerts' being logged to alert_csv, which goes on to
record the data in MySQL. But I would also like to use an action type of
'log' for some rules. This is on the assumption that rules that trigger
an alert will not go onto trigger a log. I would like to output the log
alerts using something like the -A cmg but preferably to a file. Any
suggestions on how to output two log types to seperate 'alert' and 'log'
types? I assume this is done in snort.lua but where and how.
_______________________________________________
Snort-users mailing list
Snort-users@lists.snort.org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users
To unsubscribe, send an email to:
snort-users-leave@lists.snort.org
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Please follow these rules:
https://snort.org/faq/what-is-the-mailing-list-etiquette