[Snort-users] Re: Project PigRoast and logging...
vision at ...4...
Tue Oct 10 16:17:51 EDT 2000
At 02:52 PM 10/9/2000 -0400, Joe Magee wrote:
>What I would like to do is have all my snort machines log back to a single
>host. then have that host either run snortsnarf and present all log
>material in html format or transport the logs somewhere where they can be
>viewed. One of my most important goals is to be able to hand the
>monitoring job over to a "sysops" type of person who will watch the logs
>and respond accordingly, so what I need to do is get the data a "console"
>for monitoring so I can then start writing respond and react type of policies.
It sounds like you have a good idea - there are several things you can do
to achieve what you've already outlined. As you mention in your
illustration on your website, one of the possible solutions is to use
syslogd or similar software:
ssyslog http://www.core-sdi.com/english/slogging/ssyslog.html (defunct)
msyslog http://www.core-sdi.com/english/slogging/modular-dl.htm (new)
It seems that short of special Snort output plugins (possibly snortnet?),
the simplest way to collect and analyze alerts is by pooling syslog
messages to a central loghost, then post-processing those logs with a tool
such as snortsnarf (http://www.silicondefense.com/snortsnarf/).
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users