AW: [Snort-users] Multiple Snort sensors

Poppi, Sandro Sandro.Poppi at ...3316...
Mon Mar 25 05:20:33 EST 2002


I would suggest 2 alternatives:

1. Use the output plugin alert_syslog in snort.conf to log to syslog and
forward all syslog entries from snort to a central syslog. On a RedHat linux
this would be:


local0.*		/var/log/messages

Remote "Client"
local0.*		@<ip/hostname of syslog server>

output alert_syslog: LOG_LOCAL0 LOG_ALERT LOG_PID

2. Use barnyard when performance of snort is an issue:
let snort use output plugin alert_unified to log to a local file and let
barnyard take that file as input to log to a central station. This could
also be a central database server like mysql.

For barnyard related stuff take a look on and/or


> Hello everyone.
> I would like if it is posible to have multiple Snort sensors
> running simultaneously in different hosts outputing logs to
> the same place or if it nos possible due to some concurrence 
> problems.
> I mean,
> snort -l log [...] in host1
> snort -l log [...] in host2
> snort -l log [...] in host3
> where log is a shared directory (via NFS, for example).
> Thanks in advance.
> ------------
> Fermin Galan
> _______________________________________________
> Snort-users mailing list
> Snort-users at
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:

More information about the Snort-users mailing list