> However, a log is created in /nsm/em0/today/em0.snort.log.1126727428 > which is 24 bytes that I can't read
That's from unified logging which is roughly pcap format. The 24 bytes are similar to the pcap file header, i.e. it is an empty log file. > Question 1) Is snort running but not shown w/ the ps flags I'm using? I use "ps auxww", the snort process should show up. If it doesn't, you probably have configuration errors. See also the -T flag (test mode). > Question 2) Does anyone know how to read the snort.log file? I use barnyard for this. You may want to change unified logging to syslog logging in order to see alerts in plaintext. > Question 3) if there is an error with a script in rc.local where does > the error get logged? That's up to you and your app, there's no special mechanism. ciao, chakl
