[Snort-users] Snort Syslog Alerts on Win32
L. Christopher Luther
CLuther at ...6333...
Sat Jan 4 21:42:05 EST 2003
Thanks, Frank. I'll search the archives (soon) to see what I can find. I
really liked the Snort forum on RapidNet -- it made searching much easier --
but alas, it's gone by the wayside.
From: Frank Knobbe [mailto:fknobbe at ...652...]
Sent: Saturday, January 04, 2003 8:33 PM
To: L. Christopher Luther
Cc: Snort-Users (E-mail)
Subject: RE: [Snort-users] Snort Syslog Alerts on Win32
On Sat, 2003-01-04 at 15:59, L. Christopher Luther wrote:
> Unfortunately, using the command line parameter for syslog is not an
> option, exactly because I don't want to clobber the other output
> plug-ins in the snort.conf file. And it probably will not work anyway
> under Win32 (see the post/rant I just sent to the list). It appears
> that "syslog" under Win32 really means "Event Log", which just will
> not do.
> Presuming that Snort under Win32 will some day really support syslog
> output, hopefully then there will also be a "host=" and "port=" option
> for the alert_syslog plug-in.
if you search the archives you will come across (almost monthly)
postings like yours. I had written a patch to Snort at some time in the
past (I think that's almost 2-3 years ago). That patch will allow you to
use '-s <host>' on the command line under Windows without nullifying the
snort.conf. In other words, Snort still uses all settings from
snort.conf but in addition uses the host from '-s' to send syslog alerts
Why this still hasn't been committed, I can't answer. Even though this
issue is raised very frequently, the developers/committers have yet to
add a satisfactory solution to the source. My patch worked for me (and
others), but I guess wasn't worthy for addition to Snort. Until that
issue is finally addresses, we'll see questions like this asked
So, again, search the archives and you'll find a patch for Snort. Apply
that to the source, recompile, can you can send syslog alerts to a
remote host under Windows.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users