[Snort-users] Syslogging question

Steve snort at ...12313...
Sun Aug 22 23:50:05 EDT 2004


Matt,

As I read it, the host= format only applies to the win32 version, not the
Unix version...

Steve


> -----Original Message-----
> From: Matt [mailto:matt at ...12315...]
> Sent: Monday, 23 August 2004 3:14 PM
> To: Steve
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Syslogging question
> 
> ####################################################################
> # Step #3: Configure output plugins
> #
> # Uncomment and configure the output plugins you decide to use. General
> # configuration for output plugins is of the form:
> #
> # output <name_of_plugin>: <configuration_options>
> #
> # alert_syslog: log alerts to syslog
> # ----------------------------------
> # Use one or more syslog facilities as arguments. Win32 can also
> optionally
> # specify a particular hostname/port. Under Win32, the default hostname is
> # '127.0.0.1', and the default port is 514.
> #
> # [Unix flavours should use this format...]
> # output alert_syslog: LOG_AUTH LOG_ALERT
> #
> # [Win32 can use any of these formats...]
> # output alert_syslog: LOG_AUTH LOG_ALERT
> # output alert_syslog: host=localhost, LOG_AUTH LOG_ALERT
> # output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT
> 
> Try this:
> 
> output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT
> 
> HTH
> Matt
> 
> 
> 
> Steve wrote:
> 
> > Hi,
> >
> > New to the list, new to Linux, new to Snort, but trying hard!
> >
> > I have installed Smoothwall Express V2, and I'm having fun setting
> > things up and learning about all these things. But I'm stumped on one
> > thing. I have Kiwi Syslog Daemon running on a w2k3 box receiving
> > syslog messages from Smoothwall and Linux. I've changed syslog.conf to
> > accomplish this, adding:
> >
> > *.* @192.168.0.60
> >
> > at the end. Now all my Smoothwall logs are happily arriving at Kiwi.
> > But I'd like to get Snort messages there too. I've changed snort.conf
> > to uncomment the line:
> >
> > output alert_syslog: LOG_AUTH LOG_ALERT
> >
> > but don't see any Snort messages in syslog. What else do I need to do?
> > I've trawled the web and archives but found nothing definitive, only
> > lots of people asking similar questions. Sorry if this has been
> > covered before.
> >
> > While I'm here, there is one other syslog-related problem, although
> > not with Snort. After Smoothwall boot, it takes about 5 minutes for
> > Kiwi to start receiving anything from Smoothwall, even though
> > Smoothwall in the meantime logs messages.
> >
> > I have asked these questions on the Smoothwall list, but have received
> > no answers, so hoping someone here can help. Cheers.
> >
> > *Steve*
> >






More information about the Snort-users mailing list