AW: [Snort-users] Multiple Snort sensors

Poppi, Sandro Sandro.Poppi at ...3316...
Mon Mar 25 05:20:33 EST 2002


Fermin,

I would suggest 2 alternatives:

1. Use the output plugin alert_syslog in snort.conf to log to syslog and
forward all syslog entries from snort to a central syslog. On a RedHat linux
this would be:

Server
/etc/sysconfig/syslog:
SYSLOGD_OPTIONS="-m 0 -r"

/etc/syslog.conf:
local0.*		/var/log/messages

Remote "Client"
/etc/syslog.conf:
local0.*		@<ip/hostname of syslog server>

/etc/snort/snort.conf:
output alert_syslog: LOG_LOCAL0 LOG_ALERT LOG_PID

2. Use barnyard when performance of snort is an issue:
let snort use output plugin alert_unified to log to a local file and let
barnyard take that file as input to log to a central station. This could
also be a central database server like mysql.

For barnyard related stuff take a look on www.snort.org and/or
sourceforge.net/projects/barnyard.

HTH,
Sandro

> Hello everyone.
> 
> I would like if it is posible to have multiple Snort sensors
> running simultaneously in different hosts outputing logs to
> the same place or if it nos possible due to some concurrence 
> problems.
> 
> I mean,
> 
> snort -l log [...] in host1
> snort -l log [...] in host2
> snort -l log [...] in host3
> 
> where log is a shared directory (via NFS, for example).
> 
> Thanks in advance.
> 
> ------------
> Fermin Galan
> 
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 




More information about the Snort-users mailing list