[Snort-users] Problems logging to syslog and mysql simultaneously

Don Don at ...5881...
Wed Jun 19 17:18:10 EDT 2002


i have this setup the same on multiple systems, so system problem is not
likely, the -s switch on snort command line is used as such
snort -s 12.34.12.1:514
or whatever your remote syslog server ip address is, as well as the port
number it listens on for udp syslog messages
i've tried the snort.conf entries just as you suggested, it does not work,
on any system i have. again, i dont see how multiple win2k systems could
have some inherent problem that prevents this snort function from working,
yes, all systems are fully patched. I've been trying this for many months,
so, it is highly unlikely that a recent windows patch can be preventing it
from working, i've also tried on systems in varying stages of windows
installation, ie.. win2k plain, win2kSP1, windSP2, security rollup X,
etc....
as i said, the -s switch on the command line is the only way i have been
able to get snort to syslog anywhere, even to local syslog server
this is on win2kpro, (win2k Server has also been tried) using the latest
kiwi syslog ver 7.01, it gets absolutley nothing from snort using the
snort.conf file lines you suggest, and i know i should be getting alerts
since i'm pounding it with portscans and vuln scans from 2 remote systems,
whereas, i get complete alerts when i use the command line  -s switch to log
to the local syslog.

Don


> >-----Original Message-----
> >From: Michael Steele [mailto:michaels at ...155...]
> >Sent: Wednesday, June 19, 2002 4:39 PM
> >To: 'Don'
> >Cc: snort-users at lists.sourceforge.net
> >Subject: RE: [Snort-users] Problems logging to syslog and mysql
> >simultaneously
> >
> >
> >Don,
> >
> >What I sent you works here. I can turn the Syslog option off/on by
> >removing or adding the lines to snort.conf. Are there any events in your
> >Syslog? What version of windows? Have you upgraded to the latest Service
> >Pack?
> >
> >This is a strange problem, and more a system problem, then a Snort
> >problem. The -s switch only works on UNIX, as far as I know. The only
> >option is; what I sent you for sending alerts to the Syslog. It is a
> >very limited output of one line that is sent to Syslog when the plug-in
> >is turned on.
> >
> >You will get more information from your management console (Acid,
> >Snortsnarf, IDS Center, or whatever you're using) then from this Syslog
> >alert entry.
> >
> >Email alerting is what I'm looking for, but so far I have been unable to
> >find anything like Swatch that will monitor the Syslog and send out
> >alerts based on a pattern. This is useful if you are logging to Syslog,
> >but you are still only seeing a small part of the alert.
> >
> >-Michael
> >--
> > Michael Steele | System Engineer / Support Technician
> > mailto:michaels at ...155...
> > Silicon Defense: IDS solutions - http://www.silicondefense.com
> > Snort: Open Source Network IDS - http://www.snort.org
> >
> >
> >
> >-----Original Message-----
> >From: Don [mailto:Don at ...5881...]
> >Sent: Wednesday, June 19, 2002 3:34 PM
> >To: Michael Steele
> >Subject: RE: [Snort-users] Problems logging to syslog and mysql
> >simultaneously
> >
> >tried that, did that, just now again even, still nogo
> >
> >Don
> >
> >
> >-----Original Message-----
> >From: snort-users-admin at lists.sourceforge.net
> >[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Michael
> >Steele
> >Sent: Wednesday, June 19, 2002 3:13 PM
> >To: dlpassport at ...6137...
> >Cc: snort-users at lists.sourceforge.net
> >Subject: RE: [Snort-users] Problems logging to syslog and mysql
> >simultaneously
> >
> >
> >Dallas,
> >
> >Remove the -s switch and add these to your Snort.conf
> >
> >output alert_syslog: LOG_AUTH LOG_ALERT
> >output alert_full
> >
> >-Michael
> >--
> > Michael Steele | System Engineer / Support Technician
> > mailto:michaels at ...155...
> > Silicon Defense: IDS solutions - http://www.silicondefense.com
> > Snort: Open Source Network IDS - http://www.snort.org
> >
> >
> >
> >-----Original Message-----
> >From: snort-users-admin at lists.sourceforge.net
> >[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of
> >dlpassport at ...6137...
> >Sent: Wednesday, June 19, 2002 2:46 PM
> >To: snort-users at lists.sourceforge.net
> >Subject: RE: [Snort-users] Problems logging to syslog and mysql
> >simultaneously
> >
> >I'm still experiencing the same problem logging to a local syslog, even
> >with
> >the database logging disabled... it will only write there if i specify
> >the -s 127.0.0.1.  I've got a feeling I'm missing something obvious.
> >Any
> >suggestions?
> >
> >
> >Thanks,
> >DL
> >
> >
> >-----Original Message-----
> >From: Michael Steele [mailto:michaels at ...155...]
> >Sent: Wednesday, June 19, 2002 2:26 PM
> >To: dlpassport at ...6137...
> >Cc: snort-users at lists.sourceforge.net
> >Subject: RE: [Snort-users] Problems logging to syslog and mysql
> >simultaneously
> >
> >Dallas,
> >You need to pickup a syslog server like Kiwi Syslog Server or a freeware
> >one:
> >Snip--Snip ->
> >For stability I would recommend 3com's free syslog server for Windowz
> >http://support.3com.com/software/utilities_for_windows_32_bit.htm <--
> >for a bunch of goodies
> >ftp://ftp.3com.com/pub/utilbin/win32/3CSyslog.zip <-- for the syslog
> >server
> >It runs great on 2K & XP
> >This one may work:
> >http://www.cls.de/Default.asp
> >works well but randomly inserts fixed string in syslog output in
> >the freeware version.
> ><--snip-->
> >Hello list. I am running Snort 1.8.7-mysql-win32 and am having the
> >following problem.
> >I would like to log to the local mysql database as well as a remote
> >syslog.
> >>From all that I can find, the only way to log to a remote syslog is
> >with
> >a -s 1.1.1.1 option from the command line. When I specify this on the
> >command line, snort ignores my output database statement.
> >Is there anyway to specify a remote syslog server within snort.conf?
> >What
> >else could be causing this problem? I'd prefer not to log to a local
> >syslogd then forward.
> >Thanks,
> >Dallas LaRose
> ><--snip from snort.conf-->
> >output alert_syslog: LOG_AUTH LOG_ALERT
> >output database: log, mysql, user=snort password=blah dbname=snort
> >port=3306
> >host=localhost
> ><--snip-->
> ><--snip-->
> >
> >
> >------------------------------------------------------------------------
> >----
> >                   Bringing you mounds of caffeinated joy
> >                   >>>     http://thinkgeek.com/sf    <<<
> >
> >_______________________________________________
> >Snort-users mailing list
> >Snort-users at lists.sourceforge.net
> >Go to this URL to change user options or unsubscribe:
> >https://lists.sourceforge.net/lists/listinfo/snort-users
> >Snort-users list archive:
> >http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> >
> >
> >------------------------------------------------------------------------
> >----
> >                   Bringing you mounds of caffeinated joy
> >                   >>>     http://thinkgeek.com/sf    <<<
> >
> >_______________________________________________
> >Snort-users mailing list
> >Snort-users at lists.sourceforge.net
> >Go to this URL to change user options or unsubscribe:
> >https://lists.sourceforge.net/lists/listinfo/snort-users
> >Snort-users list archive:
> >http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> >
> >
> >





More information about the Snort-users mailing list