Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort syslog + mysql + eventlog

From: "Romulo M. Cholewa" <rmc () rmc eti br>
Date: Tue, 20 Apr 2004 09:16:47 -0300
Hi there,

I searched the list for some info on this and found out some issues in
the past, that somewhat confirms what Im experiencing.

The problem is, I can't get snort (win32 212) to log to those facilities
at the same time.

In fact, if I use any command line logging switch BUT the -l (log file)
the other logs are disabled. For example, if I use the -E, only eventlog
logging will occur. If I use the -s, only syslog will occur.

But what I need is snort logging to the event log, to a mysql database
and to syslog. I can get it to log to the database and to the eventlog
at the same time, but I can't get it to log to syslog too.

I read the manual and it appears that the syslog sintax is something
like this:

output alert_syslog: host=x.y.z.w:514, LOG_facility LOG_priority

The syslog server is a Kiwi Syslog Daemon. I tried the following logs:

output alert_syslog: LOG_AUTH LOG_ALERT
output alert_syslog: host=x.y.z.w:514, LOG_LOCAL0 LOG_DEBUG
output alert_full: alert.ids
output database: log, mysql, user=snort password=<secret> dbname=acid
host=192.168.x.y

I also tried commenting out the first syslog line, leaving only the...

output alert_syslog: host=x.y.z.w:514, LOG_LOCAL0 LOG_DEBUG

... and also tried different facilities and priorities. No syslog
occured. It only works if I specify the -s switch in the command line
but then, eventlog and database logging stops (and I can't redirect the
syslog output).

Any ideas / workarounds ? Is it a known issue, or not an issue at all
(ok, I need some sleep anyway...) ?

Thanks in advance,

Romulo M. cholewa
Home: http://www.rmc.eti.br
News: http://www.rmc.eti.br/news
PGP key id 0x7F8A3B40


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: