[Snort-users] Output Plugins

John Kiehnle john at ...1477...
Sun Mar 18 03:47:15 EST 2001


I'm not a Microsoft user,  but I'm gonna try anyway.

In Linux, when we set the syslog daemon to stream to a remote loghost, the
configuration includes two modifications outside of the snort config. 

1.  A change in the /etc/syslog.conf file. syslog.conf tells the syslog daemon
what log files to use for the facility / priority combinations the admin has
set up. Do you have such a thing in NT? It is here that we specify the remote

an example:
# this will stream all *.warn to the remote loghost listed below.

*.warn			@somehost.somedomain.com

2. On the loghost, you must specify that it is to accept the incoming stream
from the remote sensor. Again in Linux, this simply requires the -r switch when
we fire off the daemon at boot.

Now...	within snort.conf you include:

output alert_syslog: LOG_AUTH LOG_ALERT  ( or whatever you choose to log )

Now I usually fire off syslogd locally first to make sure it is logging
properly then I redirect it to the remote loghost with the /etc/syslog.conf mod
I show above.

heheh... but you can't do that... cause you have no local syslog : ( 

So... what you need it the equiv of the syslog.conf file. Do you have? 

Lets go from there.


On Sat, 17 Mar 2001 12:23:34 -0600, Frank Knobbe said:

>  Hash: SHA1
>  I'm sorry, I should have mentioned again in the follow up that I'm
>  running the Win32 port of Snort. Since NT does not have a native
>  syslog daemon, you need to specify a syslog server with the command
>  line argument -s. And that seems to be turning off the ability to log
>  into a file (in addition to syslog), since cmd line args override the
>  output options.
>  Frank
>  > -----Original Message-----
>  > From: Karl Lovink [mailto:karl at ...500...]
>  > Sent: Saturday, March 17, 2001 11:44 AM
>  > 
>  > You can't. Snort will send the syslog output to the /dev/log 
>  > special file
>  > and the syslogd reads this special file. What you can do in your
>  > /etc/syslogd.conf file is that you will send the snort logging to a
>  > remote syslogd daemon.
>  >
>  > On Sat, 17 Mar 2001, Frank Knobbe wrote:
>  > 
>  > > But the question remains. How do I specify what syslog 
>  > server to send
>  > > the messages to? Apparently only with the command line argument
>  > > -s, but when I use that, the command line overrides the 
>  > plug-in, in which
>  > > case it still does not create the alert.ids file in addition to
>  > > syslog messages. How do you get both?
>  Version: PGP Personal Privacy 6.5.8
>  Comment: PGP or S/MIME encrypted email preferred.
>  iQA/AwUBOrOrppytSsEygtEFEQJ5SwCgl7lXcMQ6+5x2pYrxxWtArbi1YZMAn0Az
>  4eHngPDDfdPdjJ3d4A1wqw2k
>  =j20C
>  -----END PGP SIGNATURE-----
>  _______________________________________________
>  Snort-users mailing list
>  Snort-users at lists.sourceforge.net
>  Go to this URL to change user options or unsubscribe:
>  http://lists.sourceforge.net/lists/listinfo/snort-users
>  Snort-users list archive:
>  http://www.geocrawler.com/redir-sf.php3?list=snort-users

John Kiehnle <john at ...1477...> http://www.mtspokane.net

More information about the Snort-users mailing list