[Snort-users] Output Plugins

Andrew R. Baker andrewb at ...1150...
Sat Mar 17 16:10:58 EST 2001


I can look into creating a syslog output plugin that send directly to an
arbitrary host
on the network.  This should solve your problem and may be useful for
other people as
well.  I should be able to have something complete by tommorrow
afternoon (depends on
how many more things I have to work on this weekend.)

-A


Frank Knobbe wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> I'm sorry, I should have mentioned again in the follow up that I'm
> running the Win32 port of Snort. Since NT does not have a native
> syslog daemon, you need to specify a syslog server with the command
> line argument -s. And that seems to be turning off the ability to log
> into a file (in addition to syslog), since cmd line args override the
> output options.
> 
> Frank
> 
> > -----Original Message-----
> > From: Karl Lovink [mailto:karl at ...500...]
> > Sent: Saturday, March 17, 2001 11:44 AM
> >
> > You can't. Snort will send the syslog output to the /dev/log
> > special file
> > and the syslogd reads this special file. What you can do in your
> > /etc/syslogd.conf file is that you will send the snort logging to a
> > remote syslogd daemon.
> >
> > On Sat, 17 Mar 2001, Frank Knobbe wrote:
> >
> > > But the question remains. How do I specify what syslog
> > server to send
> > > the messages to? Apparently only with the command line argument
> > > -s, but when I use that, the command line overrides the
> > plug-in, in which
> > > case it still does not create the alert.ids file in addition to
> > > syslog messages. How do you get both?
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Personal Privacy 6.5.8
> Comment: PGP or S/MIME encrypted email preferred.
> 
> iQA/AwUBOrOrppytSsEygtEFEQJ5SwCgl7lXcMQ6+5x2pYrxxWtArbi1YZMAn0Az
> 4eHngPDDfdPdjJ3d4A1wqw2k
> =j20C
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list