Snort mailing list archives
RE: Problems logging to syslog and mysql simultaneously
From: "Michael Steele" <michaels () silicondefense com>
Date: Wed, 19 Jun 2002 17:38:16 -0700
Don, Hummm... This is bizarre... I have 37k alerts in my Syslog, so I know it works. Are you sure you don't have some service turned off that is preventing the alerts from arriving? What version of Snort? Do you have alerts in the syslog? Can you send me your snort.conf? -Michael -- Michael Steele | System Engineer / Support Technician mailto:michaels () silicondefense com Silicon Defense: IDS solutions - http://www.silicondefense.com Snort: Open Source Network IDS - http://www.snort.org -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Don Sent: Wednesday, June 19, 2002 5:17 PM To: Michael Steele; 'Don' Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] Problems logging to syslog and mysql simultaneously i have this setup the same on multiple systems, so system problem is not likely, the -s switch on snort command line is used as such snort -s 12.34.12.1:514 or whatever your remote syslog server ip address is, as well as the port number it listens on for udp syslog messages i've tried the snort.conf entries just as you suggested, it does not work, on any system i have. again, i dont see how multiple win2k systems could have some inherent problem that prevents this snort function from working, yes, all systems are fully patched. I've been trying this for many months, so, it is highly unlikely that a recent windows patch can be preventing it from working, i've also tried on systems in varying stages of windows installation, ie.. win2k plain, win2kSP1, windSP2, security rollup X, etc.... as i said, the -s switch on the command line is the only way i have been able to get snort to syslog anywhere, even to local syslog server this is on win2kpro, (win2k Server has also been tried) using the latest kiwi syslog ver 7.01, it gets absolutley nothing from snort using the snort.conf file lines you suggest, and i know i should be getting alerts since i'm pounding it with portscans and vuln scans from 2 remote systems, whereas, i get complete alerts when i use the command line -s switch to log to the local syslog. Don
-----Original Message----- From: Michael Steele [mailto:michaels () silicondefense com] Sent: Wednesday, June 19, 2002 4:39 PM To: 'Don' Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] Problems logging to syslog and mysql simultaneously Don, What I sent you works here. I can turn the Syslog option off/on by removing or adding the lines to snort.conf. Are there any events in
your
Syslog? What version of windows? Have you upgraded to the latest
Service
Pack? This is a strange problem, and more a system problem, then a Snort problem. The -s switch only works on UNIX, as far as I know. The only option is; what I sent you for sending alerts to the Syslog. It is a very limited output of one line that is sent to Syslog when the
plug-in
is turned on. You will get more information from your management console (Acid, Snortsnarf, IDS Center, or whatever you're using) then from this
Syslog
alert entry. Email alerting is what I'm looking for, but so far I have been unable
to
find anything like Swatch that will monitor the Syslog and send out alerts based on a pattern. This is useful if you are logging to
Syslog,
but you are still only seeing a small part of the alert. -Michael -- Michael Steele | System Engineer / Support Technician mailto:michaels () silicondefense com Silicon Defense: IDS solutions - http://www.silicondefense.com Snort: Open Source Network IDS - http://www.snort.org -----Original Message----- From: Don [mailto:Don () WeberOnTheWeb com] Sent: Wednesday, June 19, 2002 3:34 PM To: Michael Steele Subject: RE: [Snort-users] Problems logging to syslog and mysql simultaneously tried that, did that, just now again even, still nogo Don -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Michael Steele Sent: Wednesday, June 19, 2002 3:13 PM To: dlpassport () s2access com Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] Problems logging to syslog and mysql simultaneously Dallas, Remove the -s switch and add these to your Snort.conf output alert_syslog: LOG_AUTH LOG_ALERT output alert_full -Michael -- Michael Steele | System Engineer / Support Technician mailto:michaels () silicondefense com Silicon Defense: IDS solutions - http://www.silicondefense.com Snort: Open Source Network IDS - http://www.snort.org -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of dlpassport () s2access com Sent: Wednesday, June 19, 2002 2:46 PM To: snort-users () lists sourceforge net Subject: RE: [Snort-users] Problems logging to syslog and mysql simultaneously I'm still experiencing the same problem logging to a local syslog,
even
with the database logging disabled... it will only write there if i
specify
the -s 127.0.0.1. I've got a feeling I'm missing something obvious. Any suggestions? Thanks, DL -----Original Message----- From: Michael Steele [mailto:michaels () silicondefense com] Sent: Wednesday, June 19, 2002 2:26 PM To: dlpassport () s2access com Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] Problems logging to syslog and mysql simultaneously Dallas, You need to pickup a syslog server like Kiwi Syslog Server or a
freeware
one: Snip--Snip -> For stability I would recommend 3com's free syslog server for Windowz http://support.3com.com/software/utilities_for_windows_32_bit.htm <-- for a bunch of goodies ftp://ftp.3com.com/pub/utilbin/win32/3CSyslog.zip <-- for the syslog server It runs great on 2K & XP This one may work: http://www.cls.de/Default.asp works well but randomly inserts fixed string in syslog output in the freeware version. <--snip--> Hello list. I am running Snort 1.8.7-mysql-win32 and am having the following problem. I would like to log to the local mysql database as well as a remote syslog.From all that I can find, the only way to log to a remote syslog iswith a -s 1.1.1.1 option from the command line. When I specify this on the command line, snort ignores my output database statement. Is there anyway to specify a remote syslog server within snort.conf? What else could be causing this problem? I'd prefer not to log to a local syslogd then forward. Thanks, Dallas LaRose <--snip from snort.conf--> output alert_syslog: LOG_AUTH LOG_ALERT output database: log, mysql, user=snort password=blah dbname=snort port=3306 host=localhost <--snip--> <--snip-->-----------------------------------------------------------------------
-
---- Bringing you mounds of caffeinated joy >>> http://thinkgeek.com/sf <<< _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-----------------------------------------------------------------------
-
---- Bringing you mounds of caffeinated joy >>> http://thinkgeek.com/sf <<< _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- Bringing you mounds of caffeinated joy >>> http://thinkgeek.com/sf <<< _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- Bringing you mounds of caffeinated joy >>> http://thinkgeek.com/sf <<< _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Problems logging to syslog and mysql simultaneously dlpassport (Jun 19)
- RE: Problems logging to syslog and mysql simultaneously Michael Steele (Jun 19)
- <Possible follow-ups>
- RE: Problems logging to syslog and mysql simultaneously Michael Steele (Jun 19)
- RE: Problems logging to syslog and mysql simultaneously dlpassport (Jun 19)
- RE: Problems logging to syslog and mysql simultaneously Michael Steele (Jun 19)
- RE: Problems logging to syslog and mysql simultaneously Michael Steele (Jun 19)
- RE: Problems logging to syslog and mysql simultaneously Don (Jun 19)
- RE: Problems logging to syslog and mysql simultaneously Michael Steele (Jun 19)
- RE: Problems logging to syslog and mysql simultaneously Frank Knobbe (Jun 21)
- RE: Problems logging to syslog and mysqlsimultaneously Michael Steele (Jun 21)
- RE: Problems logging to syslog and mysqlsimultaneously Don (Jun 22)
- RE: Problems logging to syslog and mysql simultaneously Don (Jun 19)