[Snort-users] Syslogging question

Steve snort at ...12313...
Mon Aug 23 21:32:08 EDT 2004


Tried it just then, but still no messages in syslog...

Steve


> -----Original Message-----
> From: Matt [mailto:matt at ...12315...]
> Sent: Tuesday, 24 August 2004 1:18 PM
> To: Steve
> Subject: Re: [Snort-users] Syslogging question
> 
> 
> Sorry I Didnt read,
> :)
> just for curiosity sake did you try it?
> 
> 
> Steve wrote:
> 
> >Matt,
> >
> >As I read it, the host= format only applies to the win32 version, not the
> >Unix version...
> >
> >Steve
> >
> >
> >
> >
> >>-----Original Message-----
> >>From: Matt [mailto:matt at ...12315...]
> >>Sent: Monday, 23 August 2004 3:14 PM
> >>To: Steve
> >>Cc: snort-users at lists.sourceforge.net
> >>Subject: Re: [Snort-users] Syslogging question
> >>
> >>####################################################################
> >># Step #3: Configure output plugins
> >>#
> >># Uncomment and configure the output plugins you decide to use. General
> >># configuration for output plugins is of the form:
> >>#
> >># output <name_of_plugin>: <configuration_options>
> >>#
> >># alert_syslog: log alerts to syslog
> >># ----------------------------------
> >># Use one or more syslog facilities as arguments. Win32 can also
> >>optionally
> >># specify a particular hostname/port. Under Win32, the default hostname
> is
> >># '127.0.0.1', and the default port is 514.
> >>#
> >># [Unix flavours should use this format...]
> >># output alert_syslog: LOG_AUTH LOG_ALERT
> >>#
> >># [Win32 can use any of these formats...]
> >># output alert_syslog: LOG_AUTH LOG_ALERT
> >># output alert_syslog: host=localhost, LOG_AUTH LOG_ALERT
> >># output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT
> >>
> >>Try this:
> >>
> >>output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT
> >>
> >>HTH
> >>Matt
> >>
> >>
> >>
> >>Steve wrote:
> >>
> >>
> >>
> >>>Hi,
> >>>
> >>>New to the list, new to Linux, new to Snort, but trying hard!
> >>>
> >>>I have installed Smoothwall Express V2, and I'm having fun setting
> >>>things up and learning about all these things. But I'm stumped on one
> >>>thing. I have Kiwi Syslog Daemon running on a w2k3 box receiving
> >>>syslog messages from Smoothwall and Linux. I've changed syslog.conf to
> >>>accomplish this, adding:
> >>>
> >>>*.* @192.168.0.60
> >>>
> >>>at the end. Now all my Smoothwall logs are happily arriving at Kiwi.
> >>>But I'd like to get Snort messages there too. I've changed snort.conf
> >>>to uncomment the line:
> >>>
> >>>output alert_syslog: LOG_AUTH LOG_ALERT
> >>>
> >>>but don't see any Snort messages in syslog. What else do I need to do?
> >>>I've trawled the web and archives but found nothing definitive, only
> >>>lots of people asking similar questions. Sorry if this has been
> >>>covered before.
> >>>
> >>>While I'm here, there is one other syslog-related problem, although
> >>>not with Snort. After Smoothwall boot, it takes about 5 minutes for
> >>>Kiwi to start receiving anything from Smoothwall, even though
> >>>Smoothwall in the meantime logs messages.
> >>>
> >>>I have asked these questions on the Smoothwall list, but have received
> >>>no answers, so hoping someone here can help. Cheers.
> >>>
> >>>*Steve*
> >>>
> >>>
> >>>
> >
> >
> >
> >
> >-------------------------------------------------------
> >SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
> >100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
> >Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
> >http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
> >_______________________________________________
> >Snort-users mailing list
> >Snort-users at lists.sourceforge.net
> >Go to this URL to change user options or unsubscribe:
> >https://lists.sourceforge.net/lists/listinfo/snort-users
> >Snort-users list archive:
> >http://www.geocrawler.com/redir-sf.php3?list=ort-users
> >
> >
> >






More information about the Snort-users mailing list