How to view Snort alert logs

Snort alert output shows whether a rule fired and where the sensor wrote the event. The alert_fast logger keeps each event on a compact text line, which makes it useful for pcap replay checks and quick sensor smoke tests.

The alert_fast logger prints to stdout by default. When alert_fast.file is set to true and -l names a log directory, Snort writes the same fast-format events to alert_fast.txt in that directory.

A validated Snort 3 configuration, a local rule file, and a pcap that should trigger one alert are the starting point. Use file output for services and replay evidence, and switch to JSON alerts when another system needs structured fields.

Related: How to run Snort against a packet capture
Related: How to write Snort alerts as JSON

Steps to view Snort alert logs:

  1. Confirm the alert_fast logger options. 
    $ snort --help-module alert_fast
alert_fast
Help: output event with brief text format
bool alert_fast.file = false: output to alert_fast.txt instead of stdout
bool alert_fast.packet = false: output packet dump with alert
enum alert_fast.buffers = 'none': output IPS buffer dump
int alert_fast.limit = 0: set maximum size in MB before rollover
  2. Create the log directory for saved alert output. 
    $ sudo install -d -m 0755 /var/log/snort
  3. Run Snort with fast alerts on stdout. 
    $ sudo snort -q -c /usr/local/etc/snort/snort.lua \
    -R /usr/local/etc/snort/rules/local.rules \
    -r udp-test.pcap -k none -A alert_fast

    Use -k none only when the pcap has checksum metadata that would otherwise block the lab packet from matching.

    Related: How to run Snort against a packet capture

  4. Confirm that the alert appears on stdout. 
    06/25-00:23:53.106340 [**] [1:1000001:1] "LOCAL UDP test" [**] [Priority: 0] {UDP} 127.0.0.1:34392 -> 127.0.0.1:31337
  5. Run Snort with fast alerts written to a file. 
    $ sudo snort -q -c /usr/local/etc/snort/snort.lua \
    -R /usr/local/etc/snort/rules/local.rules \
    -r udp-test.pcap -k none -A alert_fast \
    --lua 'alert_fast = { file = true }' \
    -l /var/log/snort
  6. Read the saved alert file. 
    $ sudo cat /var/log/snort/alert_fast.txt
06/25-00:23:53.106340 [**] [1:1000001:1] "LOCAL UDP test" [**] [Priority: 0] {UDP} 127.0.0.1:34392 -> 127.0.0.1:31337
  7. Inspect the service journal if a managed sensor does not update the alert file. 
    $ sudo journalctl -u snort --since "10 minutes ago" --no-pager

    A service can run a different command, interface, rule path, or log directory than the manual replay test.

    Related: How to create a Snort systemd service