I run Snort on my home network. I have always just dumped the alerts
to /var/log/secure and read them with snort2html. I recently upgraded
the system (to RH 8.0) and installed the latest release of snort.
I tried to launch snort with the command line I used to use:
snort -s -c /etc/snort/snort.conf -D
(I am almost certain that I used to us the -s alone to log to
/var/log/secure) but that results in snort complaining and quitting.
I tried it with:
snort -s /var/log/secure ... and
snort -s /var/log ...
in both cases snort runs but I don't get any alerts.
When I run snort with the regular logging:
snort -l /var/log/snort -c ....
it works fine, but then I can't use the simple snort2html approach to
reading the alerts.
I set the output in snort.conf to:
output alert syslog: LOG_AUTH LOG_ALERT
but that doesn't help.
Am I missing something simple?