Configuring logging of Snort events

Make sure that the server running Snort has at least 500 MB of free disk space for storing a single Snort event log.
When the log reaches 500 MB, Snort automatically creates a new file with a name that includes the current time in unixtime format.
We recommend monitoring disk space usage.

To configure Snort event logging:

  1. Connect to the server where Snort is installed using an account with administrative privileges.
  2. Edit the Snort configuration file. To do so, run the following command on the command line:

    sudo vi /usr/local/etc/snort/snort.lua

  3. In the configuration file, edit the alert_json block:

    alert_json =

    {

    file = true,

    limit = 500,

    fields = 'seconds action class b64_data dir dst_addr dst_ap dst_port eth_dst eth_len \

    eth_src eth_type gid icmp_code icmp_id icmp_seq icmp_type iface ip_id ip_len msg mpls \

    pkt_gen pkt_len pkt_num priority proto rev rule service sid src_addr src_ap src_port \

    target tcp_ack tcp_flags tcp_len tcp_seq tcp_win tos ttl udp_len vlan timestamp',

    }

  4. To complete the configuration, run the following command:

    sudo /usr/local/bin/snort -c /usr/local/etc/snort/snort.lua -s 65535 -k none -l /var/log/snort -i <name of the interface that Snort is listening on> -m 0x1b

As a result, Snort events are logged to /var/log/snort/alert_json.txt.

Page top