Skip to main content
Snort produces several kinds of output: alert events, packet logs, and statistics. Use the -A option to choose an alert format, -l to set the log directory, and the perf_monitor module to capture runtime statistics.

Alert modes

The -A flag selects the alert output format. You can use any logger plugin available in your build.
cmg is equivalent to -A fast -d -e. It prints a one-line alert summary followed by packet headers and the payload in both hex and text.
snort -c snort.lua -r a.pcap -A cmg
This is the most informative text format and is recommended for interactive investigation.
To see all available alert and logger plugins in your build: 
snort --list-plugins | grep logger

Output file structure

When running with multiple packet threads, Snort cannot use a single shared output file. Instead, it formats output paths automatically using this pattern: 
<logdir>/[<run_prefix>][<id#>][<X>]<name>
ComponentDescription
logdirSet with -l. Defaults to ./
run_prefixSet with --run-prefix. Omitted if not specified
id#Packet thread number. Omitted for single-thread runs unless --id-zero is set
X/ if using --id-subdir, otherwise _ when id# is present
nameBased on the module writing the file
All text-mode outputs (fast, csv, json, etc.) default to stdout. Only binary formats like unified2 write files by default.
1

Log to unified2 in the current directory

snort -c snort.lua -r a.pcap -A unified2
2

Log with a custom prefix

snort -c snort.lua -r a.pcap -A unified2 --run-prefix take2
3

Log to a specific directory

snort -c snort.lua -r a.pcap -A unified2 -l /tmp
4

Run 4 threads with per-thread output files

Each thread writes its own file, numbered 0–3:
snort -c snort.lua --pcap-dir /path/to/pcap/dir \
    --pcap-filter '*.pcap' -z 4 -A unified2
5

Use subdirectories instead of prefixes

snort -c snort.lua --pcap-dir /path/to/pcap/dir \
    --pcap-filter '*.pcap' -z 4 -A unified2 --id-subdir
Subdirectories are created automatically.

Statistics at shutdown

When Snort exits, it prints statistics to stdout. Zero-valued counts are suppressed to keep the output readable.

Packet statistics

Counts from the DAQ and decoders: packets received, UDP packets, TCP packets, and so on.

Module statistics

Each module reports peg counts — how many times it observed or performed something. Includes HTTP GET requests seen by http_inspect, TCP resets trimmed, and similar.

File statistics

Breakdown of file types, bytes processed, and file signatures identified.

Summary statistics

Total runtime, packets per second, and profiling data if the profiler module is configured.
To see all available counts before running: 
snort --help-counts

Multi-thread output

When you run with multiple packet threads (-z N), each thread writes to its own output file. With 4 threads and unified2 output, you get 4 separate .u2 files. 
# 4 threads → 4 unified2 files
snort -c snort.lua --pcap-dir /path/to/pcap/dir \
    --pcap-filter '*.pcap' -z 4 -A unified2
Output files will be named like snort.log.0, snort.log.1, snort.log.2, snort.log.3 (or in subdirectories 0/, 1/, 2/, 3/ with --id-subdir).
There is no way to configure a full explicit path for output files when using multiple threads. Use -l, --run-prefix, and --id-subdir to control the path structure.