2.4.4 Event Logging

Snort supports logging multiple events per packet/stream that are prioritized with different insertion methods, such as max content length or event ordering using the event queue.

The general configuration of the event queue is as follows:

verbatim493#

2.4.4.1 Event Queue Configuration Options

There are three configuration options to the configuration parameter 'event_queue'.

<#21897#><#21894#><#21894#> <#6384#>127.<#6384#> <#21897#>

max_queue

This determines the maximum size of the event queue. For example, if the event queue has a max size of 8, only 8 events will be stored for a single packet or stream.

The default value is 8.

<#21898#><#21894#><#21894#> <#6384#>128.<#6384#> <#21898#>

log

This determines the number of events to log for a given packet or stream. You can't log more than the max_event number that was specified.

The default value is 3.

<#21899#><#21894#><#21894#> <#6384#>129.<#6384#> <#21899#>

order_events

This argument determines the way that the incoming events are ordered. We currently have two different methods:

• priority - The highest priority (1 being the highest) events are ordered first.

• content_length - Rules are ordered before decode or preprocessor alerts, and rules that have a longer content are ordered before rules with shorter contents.

The method in which events are ordered does not affect rule types such as pass, alert, log, etc.

The default value is content_length.

2.4.4.2 Event Queue Configuration Examples

The default configuration:

verbatim494#

Example of a reconfigured event queue:

verbatim495#

Use the default event queue values, but change event order:

verbatim496#

Use the default event queue values but change the number of logged events:

verbatim497#