[Snort-users] Syslog How To
erek at ...950...
Thu Jul 17 06:58:02 EDT 2003
On Thu, 17 Jul 2003, Jason wrote:
> I would like to send alerts to a remote syslog server. I am new to Snort
> (and linux) and dont understand how to configure this. My snorf.conf
> file has the "output alert_syslog: LOG_AUTH LOG_ALERT LOG_NDELAY" line.
> I have a windows server running kiwi syslog and would like to log to
> that. Would anyone be generous enough to send me their configuration
> file so I have something to reference. I have several other questions
> about the snort.conf file and this could possibly clear up some
> confusion. Thanks for the help,
It's actually simple.
First: What OS are you running on your sensor? I think from what you
wrote that it's a version of Linux, so I'll work with that.
Second: Make whatever changes you need to syslog.conf. Once the changes
are made, send a HUP to syslogd.
Third: Start Snort. :)
Now, since you say you're new to Linux I'm going to assume that step 2 and
3 might give you a bit of fun. :) 'man syslog.conf' for starters.
Basically it's the file that syslogd uses for it's config info. If you
add a line something like:
Now, you can do more things, but that's the most basic.
If you're not familiar, 'sending a HUP' means that you send a HUP signal
to the syslogd daemon.
ps -ef (or ps -auxww) |grep syslogd
You'll see a line that looks something like:
root 15028 0.0 0.0 100 380 ?? Is 12:40PM 0:00.35 syslogd
The process ID is 15028.
kill -HUP 15028
That should get you going.
"When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-users