[Snort-devel] Syslogd (Was: Re: Call for Bugs)

Jason A. Haynes jahaynes at ...502...
Sun Jul 8 03:02:00 EDT 2001


I know various firewall appliances have built-in remote syslog options.
This is because they're not full Unix systems with their own syslogd
running.  The same can probably be said of most NT programs.  In Unix,
syslogd is an expected, integrated part of Unix; daemons therefore use the
local one.

As a bonus, the local syslog.h constants which snort compiles in should
(I'm pretty sure) get translated between the local & remote syslogd's
in the remote syslog protocol.

On Sun, 8 Jul 2001, Martin Roesch wrote:

> Hi Rich,
> 
> > The option to specify a syslog "Facility" and "Priority" in the rules does
> > not work with remote syslogging:
> >   "output alert_syslog: LOG_AUTH LOG_ALERT"
> > 
> > If I use "-s 1.2.3.4" on startup, changing the above statement to anything
> > reasonable prior to the startup has no impact. (This has been traced and
> > analyzed with a Sniffer, observing the syslog packets on the wire.)
> 
> Snort doesn't support specifying a remote syslog server on the command
> line, if you want to do that you need to modify your syslog.conf file
> and restart syslogd.
> 
> > The only way that I've found to accomplish this is to change source
> > in log.c at multiple locations and re-compile. For example...
> >     {
> >      /* ICMP packets don't get port info... */
> >      /*    syslog(LOG_AUTHPRIV | LOG_ALERT, "%s: %s -> %s", msg,  */
> >            syslog(LOG_LOCAL3 | LOG_WARNING, "%s: %s -> %s", msg,
> >                 sip, dip);
> >     }

> > Also, the "LOG_AUTHPRIV" value is defined with a non-standard value (10)
> > which causes some syslog daemons to choke. ("LOG_FTP" is also non-standard
> > as 11, and "LOG_CRON" value should be 15 not 9. All are defined in syslog.h)
> > Historically, valid Facility values are 0-8 and 15-23, while valid Priority
> > values are 0-7.
> 
> Snort draws its values from the local /usr/include/syslog.h file, so any
> oddball definitions you might see are probably local to the host that's
> generating the alerts.





More information about the Snort-devel mailing list