0001511: Duplicate Snort logging since 6.5

View Issue Details [ Jump to Notes ]

[ Issue History ] [ Print ]

Project

Category

View Status

Date Submitted

Last Update

0001511

ClearOS

app-intrusion-detection - Intrusion Detection

public

2014-01-10 11:31

2015-11-23 12:38

Reporter

NickH

Assigned To

user2

Priority

normal

Severity

minor

Reproducibility

always

Status

closed

Resolution

no change required

Platform

OS Version

Product Version

6.5.0

Target Version

Fixed in Version

Summary

0001511: Duplicate Snort logging since 6.5

Description

The files /var/log/snort/syslog (and their rotated copies), which are new since 6.5 was released, contain an exact duplicate of the snort entries in /var/log/messages from when snort starts up and this is wrong to me. The cause appears to be a new file, /etc/rsyslog.d/snort.conf, which sends the messages to the new file. This file is missing a trailing "& ~" which would stop the files going to /var/log/messages. If in doubt have a look at /etc/rsyslog.d/ipsec.conf for how it should be done.

Note this is heavily related to bugs 1263 and 1264.

Tags

No tags attached.

Attached Files

Relationships

Notes
(0001128) user2 2014-01-10 11:49	This is by design. We did not want to remove any logging for ClearOS 6 users since there are some customers that have already deployed reporting tools pointing to /var/log/messages. Similarly, the new (unreleased) IDS/IPS reporting tool needs to avoid parsing large/runaway /var/log/messages log files caused by other issues (e.g. spurious kernel logs). For ClearOS 7, we have already planned to remove the duplication - tracker 0001264

Issue History
Date Modified	Username	Field	Change
2014-01-10 11:31	NickH	New Issue
2014-01-10 11:49	user2	Note Added: 0001128
2014-01-10 11:49	user2	Status	new => resolved
2014-01-10 11:49	user2	Resolution	open => no change required
2014-01-10 11:49	user2	Assigned To	=> user2
2015-11-23 12:38	user2	Status	resolved => closed

ClearOS Bug Tracker