[Snort-users] Re: Project PigRoast and logging...

Max Vision vision at ...4...
Tue Oct 10 16:17:51 EDT 2000


At 02:52 PM 10/9/2000 -0400, Joe Magee wrote:
>http://www.joemagee.com/projectpigroast.htm
>What I would like to do is have all my snort machines log back to a single 
>host. then have that host either run snortsnarf and present all log 
>material in html format or transport the logs somewhere where they can be 
>viewed. One of my most important goals is to be able to hand the 
>monitoring job over to a "sysops" type of person who will watch the logs 
>and respond accordingly, so what I need to do is get the data a "console" 
>for monitoring so I can then start writing respond and react type of policies.
>any ideas?

It sounds like you have a good idea - there are several things you can do 
to achieve what you've already outlined.  As you mention in your 
illustration on your website, one of the possible solutions is to use 
syslogd or similar software:

syslog-ng  http://www.balabit.hu/products/syslog-ng/
ssyslog    http://www.core-sdi.com/english/slogging/ssyslog.html (defunct)
msyslog    http://www.core-sdi.com/english/slogging/modular-dl.htm (new)
SRS        http://www.w00w00.org/files/SRS/

It seems that short of special Snort output plugins (possibly snortnet?), 
the simplest way to collect and analyze alerts is by pooling syslog 
messages to a central loghost, then post-processing those logs with a tool 
such as snortsnarf (http://www.silicondefense.com/snortsnarf/).

Max
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20001010/76aa3cd3/attachment.html>


More information about the Snort-users mailing list