From owner-freebsd-questions  Tue Dec 18 18:43:35 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from c003.snv.cp.net (c003-h004.c003.snv.cp.net [209.228.32.218])
	by hub.freebsd.org (Postfix) with SMTP id 9A4A637B405
	for <freebsd-questions@FreeBSD.ORG>; Tue, 18 Dec 2001 18:43:33 -0800 (PST)
Received: (cpmta 22513 invoked from network); 18 Dec 2001 18:43:32 -0800
Received: from 64.195.103.89 (HELO boethius.telocity.com)
  by smtp.telocity.com (209.228.32.218) with SMTP; 18 Dec 2001 18:43:32 -0800
X-Sent: 19 Dec 2001 02:43:32 GMT
Received: (qmail 7710 invoked by uid 1000); 19 Dec 2001 02:44:31 -0000
From: "Anthony Kim" <niceshorts@yahoo.com>
Date: Tue, 18 Dec 2001 20:44:31 -0600
To: Dan Nelson <dnelson@allantgroup.com>
Cc: Ceri <setantae@submonkey.net>, krzysztof <cs052279@yahoo.com>,
	freebsd-questions@FreeBSD.ORG
Subject: Re: Sending email with syslogd
Message-ID: <20011219024431.GB7061@boethius.telocity.com>
Mail-Followup-To: Dan Nelson <dnelson@allantgroup.com>,
	Ceri <setantae@submonkey.net>, krzysztof <cs052279@yahoo.com>,
	freebsd-questions@FreeBSD.ORG
References: <20011218192032.43522.qmail@web14808.mail.yahoo.com> <20011218193110.GA57342@rhadamanth> <20011218195932.GC57822@dan.emsphone.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20011218195932.GC57822@dan.emsphone.com>
User-Agent: Mutt/1.3.24i
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Tue, Dec 18, 2001, Dan Nelson wrote:

> In the last episode (Dec 18), Ceri said:
> > On Tue, Dec 18, 2001 at 11:20:32AM -0800, krzysztof wrote:
> > >      I've recently configured snort to log to syslog but it does
> > > not have an option in the snort.conf file to have it mail any
> > > detections to an account.  How would one configure anything snort
> > > logs to syslog at local*.* to send mail?  Is this something syslog
> > > can do?
> > 
> > In syslog.conf :
> > 
> > local*.*	|/bin/mail -s "log message from host.example.net" me@example.com
> 
> .. and keep in mind that syslog will launch that command /once/, and
> spool data into it until the pipe closes.  You probably want to do
> something like (untested):
> 
> local1.* 	| read -r line ; ( echo $line | /bin/mail -s "log message" user@host.com ) &
> 
> See the syslog.conf manpage for details.

IMO, this isn't the right approach to the original problem.
Install logwatch and have it monitor the snort alert.ids log.

-- 
"Le motd juste."
# vim:tw=65 ai et ts=4 sw=4

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message