[Snort-users] Syslogging question

Steve snort at ...12313...
Tue Aug 24 15:53:41 EDT 2004


Rich,

I *think* I've done all that. I've uncommented the "output syslog_alert"
line in snort.conf, so alerts should be going to syslog. I've added the line
to syslog.conf to forward to my host (and that's working because I get lots
of other messages forwarded just fine). It forwards ALL messages (*.*). Even
rebooted after all changes to be sure.

There must be something else I need to change in Snort to get alerts sent to
syslog. Who knows what?

Steve


> -----Original Message-----
> From: Rich Adamson [mailto:radamson at ...2127...]
> Sent: Tuesday, 24 August 2004 10:14 PM
> To: snort-users at lists.sourceforge.net; Steve
> Subject: RE: [Snort-users] Syslogging question
> 
> Steve,
> 
> Not sure what all you've tried, but consider...
> 1. use the snort.conf to send the alerts to the linux syslog facility,
> 2. configure the linux syslog facility to "handle" the incoming snort
> alerts
> 3. restart linux syslogd (required to reread config changes)
> 4. verify the linux syslogd is actually writing to a /var/log... file
> 5. when that is working, then add a linux syslog.conf statement (leave
> snort.conf
>    alone) to forward these incoming messages to a distant machine (kiwi
> syslog).
>    The syntax is something like "kern.crit  @kiwi.machine.com" and can be
>    found in 'man syslog.conf'.
> 6. when all of that is working, then try messing around with forwarding
> syslog
>    messages directly from snort to kiwi, bypassing linux syslogd.
> 
> I use snort on win32 with syslog a lot (for low volume sensors), but not
> on linux systems. I faintly recall (from a long time ago) that snort on
> linux
> writes the syslog messages via the linux OS calls (not the ip stack), and
> likely requires you config to first write the alerts to the linux syslog.
> 
> All unix systems that I'm familiar with have a syslog config option to
> forward
> syslog messages to a distant machine "after" the unix syslog function
> receives
> the message. Remember any changes to /etc/syslog.conf requires a restart
> of
> the linux syslogd.
> 
> Rich
> 
> ------------------------
> 
> > Tried it just then, but still no messages in syslog...
> >
> > Steve
> >
> >
> > > -----Original Message-----
> > > From: Matt [mailto:matt at ...12315...]
> > > Sent: Tuesday, 24 August 2004 1:18 PM
> > > To: Steve
> > > Subject: Re: [Snort-users] Syslogging question
> > >
> > >
> > > Sorry I Didnt read,
> > > :)
> > > just for curiosity sake did you try it?
> > >
> > >
> > > Steve wrote:
> > >
> > > >Matt,
> > > >
> > > >As I read it, the host= format only applies to the win32 version, not
> the
> > > >Unix version...
> > > >
> > > >Steve
> > > >
> > > >
> > > >
> > > >
> > > >>-----Original Message-----
> > > >>From: Matt [mailto:matt at ...12315...]
> > > >>Sent: Monday, 23 August 2004 3:14 PM
> > > >>To: Steve
> > > >>Cc: snort-users at lists.sourceforge.net
> > > >>Subject: Re: [Snort-users] Syslogging question
> > > >>
> > > >>####################################################################
> > > >># Step #3: Configure output plugins
> > > >>#
> > > >># Uncomment and configure the output plugins you decide to use.
> General
> > > >># configuration for output plugins is of the form:
> > > >>#
> > > >># output <name_of_plugin>: <configuration_options>
> > > >>#
> > > >># alert_syslog: log alerts to syslog
> > > >># ----------------------------------
> > > >># Use one or more syslog facilities as arguments. Win32 can also
> > > >>optionally
> > > >># specify a particular hostname/port. Under Win32, the default
> hostname
> > > is
> > > >># '127.0.0.1', and the default port is 514.
> > > >>#
> > > >># [Unix flavours should use this format...]
> > > >># output alert_syslog: LOG_AUTH LOG_ALERT
> > > >>#
> > > >># [Win32 can use any of these formats...]
> > > >># output alert_syslog: LOG_AUTH LOG_ALERT
> > > >># output alert_syslog: host=localhost, LOG_AUTH LOG_ALERT
> > > >># output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT
> > > >>
> > > >>Try this:
> > > >>
> > > >>output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT
> > > >>
> > > >>HTH
> > > >>Matt
> > > >>
> > > >>
> > > >>
> > > >>Steve wrote:
> > > >>
> > > >>
> > > >>
> > > >>>Hi,
> > > >>>
> > > >>>New to the list, new to Linux, new to Snort, but trying hard!
> > > >>>
> > > >>>I have installed Smoothwall Express V2, and I'm having fun setting
> > > >>>things up and learning about all these things. But I'm stumped on
> one
> > > >>>thing. I have Kiwi Syslog Daemon running on a w2k3 box receiving
> > > >>>syslog messages from Smoothwall and Linux. I've changed syslog.conf
> to
> > > >>>accomplish this, adding:
> > > >>>
> > > >>>*.* @192.168.0.60
> > > >>>
> > > >>>at the end. Now all my Smoothwall logs are happily arriving at
> Kiwi.
> > > >>>But I'd like to get Snort messages there too. I've changed
> snort.conf
> > > >>>to uncomment the line:
> > > >>>
> > > >>>output alert_syslog: LOG_AUTH LOG_ALERT
> > > >>>
> > > >>>but don't see any Snort messages in syslog. What else do I need to
> do?
> > > >>>I've trawled the web and archives but found nothing definitive,
> only
> > > >>>lots of people asking similar questions. Sorry if this has been
> > > >>>covered before.
> > > >>>
> > > >>>While I'm here, there is one other syslog-related problem, although
> > > >>>not with Snort. After Smoothwall boot, it takes about 5 minutes for
> > > >>>Kiwi to start receiving anything from Smoothwall, even though
> > > >>>Smoothwall in the meantime logs messages.
> > > >>>
> > > >>>I have asked these questions on the Smoothwall list, but have
> received
> > > >>>no answers, so hoping someone here can help. Cheers.
> > > >>>
> > > >>>*Steve*
> > > >>>
> > > >>>
> > > >>>
> > > >
> > > >
> > > >
> > > >
> > > >-------------------------------------------------------
> > > >SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank
> Media
> > > >100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
> > > >Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
> > > >http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
> > > >_______________________________________________
> > > >Snort-users mailing list
> > > >Snort-users at lists.sourceforge.net
> > > >Go to this URL to change user options or unsubscribe:
> > > >https://lists.sourceforge.net/lists/listinfo/snort-users
> > > >Snort-users list archive:
> > > >http://www.geocrawler.com/redir-sf.php3?list=ort-users
> > > >
> > > >
> > > >
> >
> >
> >
> >
> > -------------------------------------------------------
> > SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
> > 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
> > Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
> > http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list
> 
> ---------------End of Original Message-----------------
> 






More information about the Snort-users mailing list