[Snort-users] Remote syslog server using snort.conf

Frank Knobbe fknobbe at ...652...
Sun Aug 25 09:41:02 EDT 2002

On Sat, 2002-08-24 at 22:48, Wayne T Work wrote:
> Try uncommenting these lines is the conf and fill in the data for SYSlog 
> and MySQL

That only works for non-Windows systems. Under Windows, if you want to
log to a remote syslog server (using -s in the command line) *and*
output's configured in snort.conf, you have to hack the source code and

Specifically, in snort.c, within ParseCmdLine, you find the section:

            case 's':  /* log alerts to syslog */
                pv.syslog_flag = 1;
                DebugMessage(DEBUG_INIT, "Logging alerts to syslog\n");
                /* command line alerting option has been specified, 
                 * override the alert options in the config file
                pv.alert_cmd_override = 1;
#ifdef WIN32
                pv.syslog_remote_flag = 1;
                toks = mSplit(optarg, ":", 2, &num_toks, 0);
                strncpy(pv.syslog_server, toks[0], STD_BUF-1);
                pv.syslog_server_port = (num_toks == 1) ? 514 :
                DebugMessage(DEBUG_INIT, "Logging alerts to syslog
server %s on port %d\n",

Since command line args override the snort.conf, the '
pv.alert_cmd_override = 1;' is set. However, under Windows you need to
specify the -s option to tell the system what syslog server to log to.
So, if you want to use '-s', but also want to go through the snort.conf,
just set pv.alert_cmd_override to 0.

Recompile and your good to go.

Since this question pops up repeatedly, I wonder if it wouldn't make
send to set that flag to 0 by default for the Win32 users...


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020825/7be18289/attachment.sig>

More information about the Snort-users mailing list