[Snort-users] Output Plugins
john at ...1477...
Sun Mar 18 03:47:15 EST 2001
I'm not a Microsoft user, but I'm gonna try anyway.
In Linux, when we set the syslog daemon to stream to a remote loghost, the
configuration includes two modifications outside of the snort config.
1. A change in the /etc/syslog.conf file. syslog.conf tells the syslog daemon
what log files to use for the facility / priority combinations the admin has
set up. Do you have such a thing in NT? It is here that we specify the remote
# this will stream all *.warn to the remote loghost listed below.
2. On the loghost, you must specify that it is to accept the incoming stream
from the remote sensor. Again in Linux, this simply requires the -r switch when
we fire off the daemon at boot.
Now... within snort.conf you include:
output alert_syslog: LOG_AUTH LOG_ALERT ( or whatever you choose to log )
Now I usually fire off syslogd locally first to make sure it is logging
properly then I redirect it to the remote loghost with the /etc/syslog.conf mod
I show above.
heheh... but you can't do that... cause you have no local syslog : (
So... what you need it the equiv of the syslog.conf file. Do you have?
Lets go from there.
On Sat, 17 Mar 2001 12:23:34 -0600, Frank Knobbe said:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> I'm sorry, I should have mentioned again in the follow up that I'm
> running the Win32 port of Snort. Since NT does not have a native
> syslog daemon, you need to specify a syslog server with the command
> line argument -s. And that seems to be turning off the ability to log
> into a file (in addition to syslog), since cmd line args override the
> output options.
> > -----Original Message-----
> > From: Karl Lovink [mailto:karl at ...500...]
> > Sent: Saturday, March 17, 2001 11:44 AM
> > You can't. Snort will send the syslog output to the /dev/log
> > special file
> > and the syslogd reads this special file. What you can do in your
> > /etc/syslogd.conf file is that you will send the snort logging to a
> > remote syslogd daemon.
> > On Sat, 17 Mar 2001, Frank Knobbe wrote:
> > > But the question remains. How do I specify what syslog
> > server to send
> > > the messages to? Apparently only with the command line argument
> > > -s, but when I use that, the command line overrides the
> > plug-in, in which
> > > case it still does not create the alert.ids file in addition to
> > > syslog messages. How do you get both?
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Personal Privacy 6.5.8
> Comment: PGP or S/MIME encrypted email preferred.
> -----END PGP SIGNATURE-----
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
John Kiehnle <john at ...1477...> http://www.mtspokane.net
More information about the Snort-users