[Snort-devel] remote syslog patch

Elazar Broad elazarb at ...891...
Fri May 1 14:45:17 EDT 2009


Hello,
 Here is a small patch for snort 2.8.4.1(works on 2.8.4 as well) that will enable snort running on *nix to send syslog messages to a remote syslog server. I know that this has been discussed before and the general consensus is to either forward syslogd or use syslog-ng, however, in my case, I run splunk on the same box as snort, and splunk listens on a port other than 514. For some strange reason, writing this patch seemed easier that reconfiguring my box to use syslog-ng, don't ask, I don't know why. Anyhow, here it is. The patch adds a new configure option of --enable-remote-syslog which in turn adds REMOTE_SYSLOG to CFLAGS. Once patched, you will be able to use the win32 syslog configuration format of host=sysloghost:port. 

Some caveats:
1. The patch ONLY supports IP addresses for host, one of these days I will add the dns lookup code.
2. If you are using snortsam, patch snort with snortsam FIRST, run autojunk and THEN patch snort with this patch.

Comments, criticisms and bugs, reply to this message...

elazar
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort-2.8.4.1_remote-syslog.patch
Type: application/octet-stream
Size: 9237 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20090501/6fcba6f8/attachment.obj>


More information about the Snort-devel mailing list