AW: [Snort-users] Multiple Snort sensors
Sandro.Poppi at ...3316...
Mon Mar 25 05:20:33 EST 2002
I would suggest 2 alternatives:
1. Use the output plugin alert_syslog in snort.conf to log to syslog and
forward all syslog entries from snort to a central syslog. On a RedHat linux
this would be:
SYSLOGD_OPTIONS="-m 0 -r"
local0.* @<ip/hostname of syslog server>
output alert_syslog: LOG_LOCAL0 LOG_ALERT LOG_PID
2. Use barnyard when performance of snort is an issue:
let snort use output plugin alert_unified to log to a local file and let
barnyard take that file as input to log to a central station. This could
also be a central database server like mysql.
For barnyard related stuff take a look on www.snort.org and/or
> Hello everyone.
> I would like if it is posible to have multiple Snort sensors
> running simultaneously in different hosts outputing logs to
> the same place or if it nos possible due to some concurrence
> I mean,
> snort -l log [...] in host1
> snort -l log [...] in host2
> snort -l log [...] in host3
> where log is a shared directory (via NFS, for example).
> Thanks in advance.
> Fermin Galan
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users