[Snort-users] Remote syslog server using snort.conf
fknobbe at ...652...
Sun Aug 25 09:41:02 EDT 2002
On Sat, 2002-08-24 at 22:48, Wayne T Work wrote:
> Try uncommenting these lines is the conf and fill in the data for SYSlog
> and MySQL
That only works for non-Windows systems. Under Windows, if you want to
log to a remote syslog server (using -s in the command line) *and*
output's configured in snort.conf, you have to hack the source code and
Specifically, in snort.c, within ParseCmdLine, you find the section:
case 's': /* log alerts to syslog */
pv.syslog_flag = 1;
DebugMessage(DEBUG_INIT, "Logging alerts to syslog\n");
/* command line alerting option has been specified,
* override the alert options in the config file
pv.alert_cmd_override = 1;
pv.syslog_remote_flag = 1;
toks = mSplit(optarg, ":", 2, &num_toks, 0);
strncpy(pv.syslog_server, toks, STD_BUF-1);
pv.syslog_server_port = (num_toks == 1) ? 514 :
DebugMessage(DEBUG_INIT, "Logging alerts to syslog
server %s on port %d\n",
Since command line args override the snort.conf, the '
pv.alert_cmd_override = 1;' is set. However, under Windows you need to
specify the -s option to tell the system what syslog server to log to.
So, if you want to use '-s', but also want to go through the snort.conf,
just set pv.alert_cmd_override to 0.
Recompile and your good to go.
Since this question pops up repeatedly, I wonder if it wouldn't make
send to set that flag to 0 by default for the Win32 users...
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 307 bytes
Desc: This is a digitally signed message part
More information about the Snort-users