Snort Logging Level Differences

Mark Littell · ‎10-03-2018

I see that Snort has 8 different logging levels:

logging level {alert | crit | debug | emerg | err | info | notice | warning}

What are the differences between them?

I did find a listing related to Snort Web Filtering that states:

Level	Description
1 - Emergencies	System unusable
2 - Alerts	Immediate action needed
3 - Critical	Critical condition
4 - Errors	Error condition
5 - Warnings	Warning condition
6 - Notifications	Normal but significant condition
7 - Informational	Informational messages only
8 - Debugging	Appears during debugging only

But that can be confusing too. Does setting the logging level to debug only send messages when Snort is in Debug mode?

I am looking to get all the messages possible and then dial it back from there.

Or is there another / better description of the different logging levels?

Thanks

Shubham Bharti · ‎11-10-2018

This is something common over most of the platforms. The logging level ranges from 0-Fatal/Emergency to 7-Debug. The higher the level higher the inclusion of more granular, diagnostic information with more "noise" than you'd want in normal production situations. Setting a component to debug is a starter pack for any detailed diagnostic information.

No, the moment you set a component to debug, it will start logging message at that log level.

Ideally, one should stick to Warning/Error level so that there is a balance of load and information at production site.