# SNORT does not log in to Database or /var/log/snort

## thurisaz

Hi guys,

I have a lot of problems, to get SNORT to log any events. I already tried the unstable ebuilds but the problem is the same: I emerge SNORT, setup my database with the SQL-Files (I tried MySQL and PostgreSQL), create a snort user with the needed permissions and create a snort.conf like

```

var HOME_NET $eth0_ADDRESS

var DNS_SERVERS $HOME_NET

var SMTP_SERVERS $HOME_NET

var HTTP_SERVERS $HOME_NET

var SQL_SERVERS $HOME_NET

var TELNET_SERVERS $HOME_NET

var SNMP_SERVERS $HOME_NET

var SHELLCODE_PORTS !80

var RULE_PATH /etc/snort/rules

preprocessor frag2: memcap 16777216, timeout 30

preprocessor stream4: detect_scans, disable_evasion_alerts

preprocessor stream4_reassemble: both,ports[all]

output alert_syslog: LOG_AUTH LOG_DAEMON LOG_LOCAL0 LOG_USER LOG_EMERG LOG_CRIT LOG_ERR LOG_WARNING LOG_NOTICE LOG_INFO LOG_DEBUG

output alert_full: alert.full

output database: log, postgresql, user=MYUSER dbname=MYDBNAME password=MYPASSWORD host=MYLOCALHOST

include classification.config

include reference.config

```

But the Databases are totally empty and nether /var/log/messages nor /var/log/postgresql.log are giving me any hints of what could be went wrong.

I have no idea what else I can do and I found a lot of threads in the internet with people who have the same problem. Nevertheless I didn't found any good hint to solve my problem. Could it be an iptalbes-Problem? What am I doing wrong? Where can I get more informations?

P.S: My system is totally up to date, SNORT-Version is 

```
net-analyzer/snort-2.4.1  -flexresp +inline +mysql -odbc +postgres -prelude (-selinux) +sguil +snortsam +ssl
```

----------

## thurisaz

nobody? not at least a hint where I could begin searching? Do you need more informations about my system/config?

----------

## magic919

I don't use Snort but I'd say forget the database for now and get it to log to a file first.  Then progress to the database.

Try running Snort straight off the command line rather than the init scripts as well as checking what the init scripts passes to the execuatable.

----------

## Suicidal

A bit late here but if you are using sguil the log directory should be /var/lib/sguil/$(hostname). 

Also check te permissions of /var/lib/sguil so that the sguil user has access; in addition look at your snort conf as there may be rules included in it that are not included in the actual snort release.

----------

## ]Trix[

I have followed this post to setup snort with mysql and some things dont work.

First off all I cannot stop snort: 

/etc/init.d/snort status

 * status:  started

/etc/init.d/snort stop

 * Stopping snort ...

start-stop-daemon: warning: failed to kill 28818: No such process 

/etc/init.d/snort start

 * WARNING:  "snort" has already been started

Then at boot I get this message:

gateway snort[15588]: FATAL ERROR: Unable to open rules file: /etc/snort/rules/local.rules or /etc/snort//etc/snort/rules/local.rules

Then nothing gets logged.

----------

## magic919

/etc/init.d/snort zap

will get the init script back in sync.

----------

## Suicidal

 *]Trix[ wrote:*   

> 
> 
> FATAL ERROR: Unable to open rules file: /etc/snort/rules/local.rules or /etc/snort//etc/snort/rules/local.rules 

 

Look at your snort.conf, by default alot of rules are not commented that do not exist in /etc/snort/rules.

What I recomend is to comment all of them out then only enable the ones that actually exist in /etc/snort/rules.

Secondly I reccomend installing oinkmaster and registering on snort.org so that you can get an updated rule set.

Lastly you might want to look at bleedingsnort.com since they have alot of good rules most detect viri and malware so far I havent had any break my box.

If you decide to use oinkmaster install it and update the rules first to avoid redundancy.

----------

## thecooptoo

try snort -T -u snort -i eth0 -l /var/log/snort -c /etc/snort/snort.conf

which will test the config

when I tried 

```

snort -v -u snort -i eth0 -l /var/log/snort -c /etc/snort/snort.conf
```

 it printed whole load of stuff that it was monitoring to stdout

----------

