[Snort-users] Snort syslog + mysql + eventlog

Romulo M. Cholewa rmc at ...8111...
Tue Apr 20 05:17:17 EDT 2004


Hi there,

I searched the list for some info on this and found out some issues in
the past, that somewhat confirms what Im experiencing.

The problem is, I can't get snort (win32 212) to log to those facilities
at the same time.

In fact, if I use any command line logging switch BUT the -l (log file)
the other logs are disabled. For example, if I use the -E, only eventlog
logging will occur. If I use the -s, only syslog will occur.

But what I need is snort logging to the event log, to a mysql database
and to syslog. I can get it to log to the database and to the eventlog
at the same time, but I can't get it to log to syslog too.

I read the manual and it appears that the syslog sintax is something
like this:

output alert_syslog: host=x.y.z.w:514, LOG_facility LOG_priority

The syslog server is a Kiwi Syslog Daemon. I tried the following logs:

output alert_syslog: LOG_AUTH LOG_ALERT
output alert_syslog: host=x.y.z.w:514, LOG_LOCAL0 LOG_DEBUG
output alert_full: alert.ids
output database: log, mysql, user=snort password=<secret> dbname=acid
host=192.168.x.y

I also tried commenting out the first syslog line, leaving only the...

output alert_syslog: host=x.y.z.w:514, LOG_LOCAL0 LOG_DEBUG

... and also tried different facilities and priorities. No syslog
occured. It only works if I specify the -s switch in the command line
but then, eventlog and database logging stops (and I can't redirect the
syslog output).

Any ideas / workarounds ? Is it a known issue, or not an issue at all
(ok, I need some sleep anyway...) ?

Thanks in advance,

Romulo M. cholewa
Home: http://www.rmc.eti.br
News: http://www.rmc.eti.br/news
PGP key id 0x7F8A3B40




More information about the Snort-users mailing list