Snort mailing list archives
Re: [snort-users] alert_syslog and remote syslogs: win32 only?
From: gravyface <gravyface () gmail com>
Date: Mon, 17 Aug 2009 10:09:36 -0400
On Fri, Aug 14, 2009 at 4:01 PM, Frank Knobbe<frank () knobbe us> wrote:
On Fri, 2009-08-07 at 19:30 -0400, GravyFace wrote:snort -c /etc/snort/snort.conf -pDs -A fast -l /var/log/snort -i eth0 snort.conf: =========== var RULE_PATH /etc/snort/rules/ output alert_syslog: host=192.168.0.3, LOG_AUTH LOG_ALERT include $RULE_PATH/test.rules [...]The documentation seems to imply that this host:port parameter is for win32, but assumed it was -- as the docs mention -- because win32 doesn't have syslog, but that it would still work under Linux. Am I wrong? If so, what's the recommended method of doing remote syslogging?Oh, that brings back memories... since I had submitted the patch to enable syslog under Win32 back in... 2001? 2000? Anyway, yes, if you run *nix, then the syslog directive will cause the packet to be written to the local syslog. If you want to send any packets to another syslog server, you have to modify the syslog config to enable forwarding of alerts.
Not quite I understand the reasoning behind forcing *nix to write to the local syslog only: it seems a bit cleaner to allow local or remote from within Snort, depending on the config value, with a default of remote if Win32 vs. local for *nix in the config. No need for any filtering/syslog-ng that way.
I'm not sure what syslog daemon you use. I prefer syslog-ng which is highly customizable, and can be configured to only forward Snort alerts to a remote server.
I'm using syslogd; it's sending all auth.alert events to the remote syslog. It's working well.
Hope that helps, Frank
------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- [snort-users] alert_syslog and remote syslogs: win32 only? GravyFace (Aug 07)
- Re: [snort-users] alert_syslog and remote syslogs: win32 only? Frank Knobbe (Aug 14)
- Re: [snort-users] alert_syslog and remote syslogs: win32 only? gravyface (Aug 17)
- Re: [snort-users] alert_syslog and remote syslogs: win32 only? Frank Knobbe (Aug 17)
- Re: [snort-users] alert_syslog and remote syslogs: win32 only? gravyface (Aug 17)
- Re: [snort-users] alert_syslog and remote syslogs: win32 only? gravyface (Aug 17)
- Re: [snort-users] alert_syslog and remote syslogs: win32 only? Frank Knobbe (Aug 14)