[Snort-users] logging to remote loghost

John Kiehnle john at ...1477...
Thu Mar 8 02:38:22 EST 2001


Ok let me set up the scenerio here...

I have a two sensor setup. One on the perimeter... the "exposed sensor", and
one inside to monitor for malicious packets that may have traversed my DMZ
obstacles.

The external "exposed" sensor is streaming alerts to a remote mysql db / ACID
console inside the firewall.  That is all working fine... Thank you Jed Pickel.

I really like the razorback audible alerts for inside the firewall so I also
use the syslog daemon to generate logs for it. I configured snort.conf to
stream the logfiles off the "exposed sensor" to a remote loghost via
configuration of the syslog daemon as follows;

On the loghost, I invoke syslogd with the -r to listen on port 514 for
incomming log information from remote hosts.

On the "exposed sensor" I have configured /etc/syslog.conf to stream all 

*.warn;*.err @loghost

Ok... that said, the "exposed sensor" is capturing packets and appears to be
streaming the logs to the remote loghost, but the loghost is not getting the
logs from the sensor like it should.

My question is... What is available on the loghost side of things to
troubleshoot the syslog daemon? Id like to see if the logs are making it there
to begin with.

BTW... I know this is a bit off topic. Thanks in advance.

John


 

 
-- 
John Kiehnle

--- CHAOS -Where Great Dreams Begin ---

Befor a great vision can become reality there may be difficulty. Befor a person
begins a great endeavor, they may encounter chaos.

As a new plant breaks the ground with great difficulty, foreshadowing the huge
tree, so must we sometimes push against difficulty in bringing forth our
dreams.

"Out of Chaos, Brilliant Stars are Born."

I-Ching Hexagram #3






More information about the Snort-users mailing list