[Snort-users] Snort Syslog Alerts on Win32

Frank Knobbe fknobbe at ...652...
Sat Jan 4 17:34:02 EST 2003


On Sat, 2003-01-04 at 15:59, L. Christopher Luther wrote:
> Unfortunately, using the command line parameter for syslog is not an
> option, exactly because I don't want to clobber the other output
> plug-ins in the snort.conf file.  And it probably will not work anyway
> under Win32 (see the post/rant I just sent to the list).  It appears
> that  "syslog" under Win32 really means "Event Log", which just will
> not do.  
> 
> Presuming that Snort under Win32 will some day really support syslog
> output, hopefully then there will also be a "host=" and "port=" option
> for the alert_syslog plug-in.  


Chris,

if you search the archives you will come across (almost monthly)
postings like yours. I had written a patch to Snort at some time in the
past (I think that's almost 2-3 years ago). That patch will allow you to
use '-s <host>' on the command line under Windows without nullifying the
snort.conf. In other words, Snort still uses all settings from
snort.conf but in addition uses the host from '-s' to send syslog alerts
to.

Why this still hasn't been committed, I can't answer. Even though this
issue is raised very frequently, the developers/committers have yet to
add a satisfactory solution to the source. My patch worked for me (and
others), but I guess wasn't worthy for addition to Snort. Until that
issue is finally addresses, we'll see questions like this asked
routinely.

So, again, search the archives and you'll find a patch for Snort. Apply
that to the source, recompile, can you can send syslog alerts to a
remote host under Windows.

Regards,
Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030104/66508840/attachment.sig>


More information about the Snort-users mailing list