Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Is it possible to change the output format for the alert_syslog module?

From: waldo kitty <wkitty42 () windstream net>
Date: Thu, 01 Aug 2013 11:28:07 -0400
On 8/1/2013 09:12, Niels van Eijck wrote:

We use the alert_syslog module to log alerts via syslog.
Is there a way to configure the way in which the alerts are logged by snort?
I am looking for a way to change the logging to a csv format if possible.


use a different output module or add another output module if you want both 
output forms...

pg 155 of the snort 2.9.4 pdf manual

2.6.6 csv
   The csv output plugin allows alert data to be written in a format easily 
importable to a database. The output fields and their order may be customized.

Format
   output alert_csv: [<filename> [<format> [<limit>]]]
   <format> ::= "default"|<list>
   <list> ::= <field>(,<field>)*
   <field> ::= "dst"|"src"|"ttl" ...
   <limit> ::= <number>[(’G’|’M’|K’)]
   • filename: the name of the log file. The default name is <logdir>/alert.csv. 
You may specify ”stdout” for terminal output. The name may include an absolute 
or relative path.
   • format: The list of formatting options is below. If the formatting option 
is ”default”, the output is in the order of the formatting options listed.

     – timestamp
     – sig generator
     – sig id
     – sig rev
     – msg
     – proto
     – src
     – srcport
     – dst
     – dstport
     – ethsrc
     – ethdst
     – ethlen
     – tcpflags
     – tcpseq
     – tcpack
     – tcplen
     – tcpwindow
     – ttl
     – tos
     – id
     – dgmlen
     – iplen
     – icmptype
     – icmpcode
     – icmpid
     – icmpseq

   • limit: an optional limit on file size which defaults to 128 MB. The minimum 
is 1 KB. See 2.6.10 for more information.

Example
   output alert_csv: /var/log/alert.csv default
   output alert_csv: /var/log/alert.csv timestamp, msg



-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------------
Get your SQL database under version control now!
Version control is standard for application code, but databases havent 
caught up. So what steps can you take to put your SQL databases under 
version control? Why should you start doing it? Read more to find out.
http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: