[Snort-users] Win32 port and Syslog

Michael Davis mike at ...92...
Sat Nov 18 23:54:00 EST 2000

Hash: SHA1

Getting the win32 port to log to a syslog server is not that simple.
I personally have never written anything to interact with a syslog
server remotely so I do not know how the protocol works. I do know
however that there are tons of programs on the net that will take
your Event Log and send it to a remote syslog server every time their
is a write to the event log(effectively forwarded all data to the
syslog server). There is even an open source
one(http://www.sabernet.net/ I believe). You could modify it to only
look for snort generated logs and forward them and you would be set.

I am not against removing the Event Log option but you are the first
person to ask to do so :)

Michael Davis
Chief Technical Officer
Data Nerds, LLC.

- ----- Original Message ----- 
From: "Frank Knobbe" <FKnobbe at ...652...>
To: <snort-users at lists.sourceforge.net>
Sent: Saturday, November 18, 2000 5:52 PM
Subject: [Snort-users] Win32 port and Syslog

> Hash: SHA1
> Greetings,
> I wanted to make a recommendation to Snort here in the this list in
> hopes to gather some support :)
> I'm running the Win32 port of Snort and am pretty happy with it. I
> have a script running that monitors the log file, and depending on
> the event logged, it will reconfigure my firewall to block the
> offender (Snort is running as an Attack Detection System outside
> the firewall. Please don't start a thread on that, we just had that
> in another list :)
> Anyway, what I would really like is the ability to send Syslog
> messages. Unfortunately the Win32 port does not do that, instead it
> logs to the EventLog. Can't this be made an option? I think the
> user should be given the choice to log to the EventLog or to send a
> Syslog packet to a Syslog server. Marty, is that something you can
> add in the next version please?
> Sending a Syslog packet would help greatly in automating events
> since a script can watch for and receive Syslog packets, and then
> trigger an action. This mechanism would be quicker than monitoring
> the log file. Any supporters for the optional Syslog under Win32?
> Regards,
> Frank
> Version: PGP Personal Privacy 6.5.1
> Comment: PGP or S/MIME encrypted email preferred.
> iQA/AwUBOhcWWERKym0LjhFcEQIF5gCgqRRQPu28ckQurcaATF2zAA0h7aQAniPB
> +7hMn8TcqW0m99wHMb5Jm8o7
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>


More information about the Snort-users mailing list