[Snort-users] Send alerts to a remote host

Matt Kettler mkettler at ...4108...
Thu Sep 25 09:08:07 EDT 2003


At 08:10 AM 9/25/2003, 
=?koi8-r?Q?=22=F0=CF=D4=C1=D0=CF=D7=20=F7=CC=C1=C4=C9=CD=C9=D2= wrote:
>I want that may packet filter with Snort will send all logs and alerts to 
>a remote host .How can I do that,

Use syslog as your output plugin for snort, then configure your syslogd to 
send copies to another host.

On most older-style systems, it's /etc/syslog.conf that you need to edit.

Assuming a system based on sysklogd, and not any of the newer system 
logging facilities

First make snort's output go to syslog with log facility local4 in 
snort.conf (you can pick any local facility that's unused, I just grabbed 4 
off the top of my head)
         output alert_syslog: LOG_LOCAL4 LOG_ALERT

and add a redirector to your /etc/syslog.conf on your snort box:

         local4.alert    @myremotesyslogserver.mydomain.com

On your remote syslog server, be sure to start syslogd with -r so that it 
will honor inbound packets from the network.






More information about the Snort-users mailing list