[Snort-users] Syslog How To

Erek Adams erek at ...950...
Thu Jul 17 06:58:02 EDT 2003

On Thu, 17 Jul 2003, Jason wrote:

> I would like to send alerts to a remote syslog server. I am new to Snort
> (and linux) and dont understand how to configure this. My snorf.conf
> file has the "output alert_syslog: LOG_AUTH LOG_ALERT LOG_NDELAY" line.
> I have a windows server running kiwi syslog and would like to log to
> that. Would anyone be generous enough to send me their configuration
> file so I have something to reference. I have several other questions
> about the snort.conf file and this could possibly clear up some
> confusion. Thanks for the help,

It's actually simple.

First:  What OS are you running on your sensor?  I think from what you
wrote that it's a version of Linux, so I'll work with that.

Second:  Make whatever changes you need to syslog.conf.  Once the changes
are made, send a HUP to syslogd.

Third:  Start Snort.  :)

Now, since you say you're new to Linux I'm going to assume that step 2 and
3 might give you a bit of fun.  :)  'man syslog.conf' for starters.
Basically it's the file that syslogd uses for it's config info.  If you
add a line something like:

	     auth.alert                             @some.host.somewhere

Now, you can do more things, but that's the most basic.

If you're not familiar, 'sending a HUP' means that you send a HUP signal
to the syslogd daemon.

	ps -ef  (or ps -auxww) |grep syslogd

You'll see a line that looks something like:

  root 15028 0.0 0.0 100 380 ??  Is 12:40PM 0:00.35 syslogd

The process ID is 15028.

  kill -HUP 15028

That should get you going.


Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

More information about the Snort-users mailing list