# Snort - Alert log file remains empty

## Caines

Hi.. I went to several "test my firewall" webpages, did the scans but nothing comes out into /var/log/snort/alert except maybe a few redundant entries in the folders of /var/log/snort/192.168.0.* & 192.168.1.0. I've chown-ed the whole /var/log/snort/ directory. I'm only running snort, no ACID or MySQL as an intrusion detection system. Here is my config.

 *Quote:*   

> # Config file for /etc/init.d/snort
> 
> # This tell snort which interface to listen on (any for every interface)
> 
> IFACE=any
> ...

 

Is there another way to test, to force an entry into the alert log file?

Also, although I put a "-D" variable, it runs as a process, not daemon. I could grep it. Is that normal?  :Shocked: 

Uber noob here for guidance. *bow*

----------

## d_m

Here are some things to check:

1. Are any snort processes running? Try "ps ax | grep snort"

2. Is the service running properly? As root, try "/etc/init.d/snort status" (if it isn't started, use /etc/init.d/snort start to try starting it. To have it start by default, run "rc-update add snort default")

3. Are there any errors in the applicable log files? /var/log/messages and any file in /var/log/snort would be the places to look.

----------

## Caines

 *d_m wrote:*   

> Here are some things to check:
> 
> 1. Are any snort processes running? Try "ps ax | grep snort"

 

Yup, one instance is running.

 *Quote:*   

> 2. Is the service running properly? As root, try "/etc/init.d/snort status" (if it isn't started, use /etc/init.d/snort start to try starting it. To have it start by default, run "rc-update add snort default")

 

It says, status: started.

 *Quote:*   

> 3. Are there any errors in the applicable log files? /var/log/messages and any file in /var/log/snort would be the places to look.

 

Initially, there was a "Permission denied" of /var/log/snort/alert. I've chowned that file to snort:snort. Now theres no error and it says again snort's initialization is successful. What could be wrong?  :Confused: 

----------

## d_m

Well, if snort couldn't read/write it's alert file that would obviously be a problem.

Did you change the permissions on the whole /var/log/snort directory? I know snort writes tons of little files in there that it needs.

I would verify all the permissions (probably just "chown -R snort:snort /var/log/snort"), and then restart snort ("/etc/init.d/snort restart"). Then I would do some things that you think should put messages in the log file and check again.

----------

## Caines

I did that and still, nothing happens. Oh well, I guess i don't really need snort for a home computer. Its pretty secured already with a software and hardware firewall?

Thanks for your time though.  :Smile: 

----------

## Baya

Hi,

Please can you show me how to add rule and check if snort does an alert about it!

----------

