|Main Archive Page > Month Archives > snort-users archives|
I've got Snort running successfully on Windows, logging to MS-SQL. The problem is that it insists on writing to .\log\alert.ids - no matter what the configuration file says, as near as I can make out.
If I remove or rename the Snort\log directory, or start with a current directory other than the root of Snort's installation, I get the error:
ERROR: OpenAlertFile() => fopen() alert file log/alert.ids: No such file or directory
There is no output directive in the configuration file that would point Snort to write to a file. I want to avoid filling up the sensor's disk - that's part of why I'm sending alerts to a database server in the first place. My only output directive is:
output database: alert, mssql, dbname=snort \
user=(username) password=(password) \
host=(database server) \
I haven't tried installing Snort as a service yet. It's looking for a log file relative to the current working directory, which hardly seems a healthy behaviour for a service...
Thanks very much