Snort mailing list archives
Re: [snort-users] alert_syslog and remote syslogs: win32 only?
From: Frank Knobbe <frank () knobbe us>
Date: Mon, 17 Aug 2009 10:31:01 -0500
On Mon, 2009-08-17 at 10:09 -0400, gravyface wrote:
Not quite I understand the reasoning behind forcing *nix to write to the local syslog only:
'cause that's the way syslog normally works. It's just a system call to the log function. The application (Snort in this case) doesn't assemble packets. It just calls a "log" function. The syslog daemon does the rest.
it seems a bit cleaner to allow local or remote from within Snort, depending on the config value, with a default of remote if Win32 vs. local for *nix in the config. No need for any filtering/syslog-ng that way.
In Windows the only way to do syslog is to assemble the packet and put it on the wire. That's the only reason there is an option for a remote server. It's actually nicer to have the *nix syslog daemon send the message. For one, it's less work for Snort, less CPU cycles for logging, and Snort can allocate more CPU for what it's intended to do, analyze packets. The other reason is that, once the "log" call has been made, and Snort is done, the syslog daemon can filter the data if desired, and send to as many remote machines as you configure, without burdening Snort. Cheers, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- [snort-users] alert_syslog and remote syslogs: win32 only? GravyFace (Aug 07)
- Re: [snort-users] alert_syslog and remote syslogs: win32 only? Frank Knobbe (Aug 14)
- Re: [snort-users] alert_syslog and remote syslogs: win32 only? gravyface (Aug 17)
- Re: [snort-users] alert_syslog and remote syslogs: win32 only? Frank Knobbe (Aug 17)
- Re: [snort-users] alert_syslog and remote syslogs: win32 only? gravyface (Aug 17)
- Re: [snort-users] alert_syslog and remote syslogs: win32 only? gravyface (Aug 17)
- Re: [snort-users] alert_syslog and remote syslogs: win32 only? Frank Knobbe (Aug 14)