[Snort-users] Syslogging question

Tony Carter tcarter at ...11752...
Tue Aug 24 18:49:09 EDT 2004


Make sure  that you have tabs between *.* and @192.168.0.60.
-Tony


On Aug 24, 2004, at 6:52 PM, Steve wrote:

> Rich,
>
> I *think* I've done all that. I've uncommented the "output  
> syslog_alert"
> line in snort.conf, so alerts should be going to syslog. I've added  
> the line
> to syslog.conf to forward to my host (and that's working because I get  
> lots
> of other messages forwarded just fine). It forwards ALL messages  
> (*.*). Even
> rebooted after all changes to be sure.
>
> There must be something else I need to change in Snort to get alerts  
> sent to
> syslog. Who knows what?
>
> Steve
>
>
>> -----Original Message-----
>> From: Rich Adamson [mailto:radamson at ...2127...]
>> Sent: Tuesday, 24 August 2004 10:14 PM
>> To: snort-users at lists.sourceforge.net; Steve
>> Subject: RE: [Snort-users] Syslogging question
>>
>> Steve,
>>
>> Not sure what all you've tried, but consider...
>> 1. use the snort.conf to send the alerts to the linux syslog facility,
>> 2. configure the linux syslog facility to "handle" the incoming snort
>> alerts
>> 3. restart linux syslogd (required to reread config changes)
>> 4. verify the linux syslogd is actually writing to a /var/log... file
>> 5. when that is working, then add a linux syslog.conf statement (leave
>> snort.conf
>>    alone) to forward these incoming messages to a distant machine  
>> (kiwi
>> syslog).
>>    The syntax is something like "kern.crit  @kiwi.machine.com" and  
>> can be
>>    found in 'man syslog.conf'.
>> 6. when all of that is working, then try messing around with  
>> forwarding
>> syslog
>>    messages directly from snort to kiwi, bypassing linux syslogd.
>>
>> I use snort on win32 with syslog a lot (for low volume sensors), but  
>> not
>> on linux systems. I faintly recall (from a long time ago) that snort  
>> on
>> linux
>> writes the syslog messages via the linux OS calls (not the ip stack),  
>> and
>> likely requires you config to first write the alerts to the linux  
>> syslog.
>>
>> All unix systems that I'm familiar with have a syslog config option to
>> forward
>> syslog messages to a distant machine "after" the unix syslog function
>> receives
>> the message. Remember any changes to /etc/syslog.conf requires a  
>> restart
>> of
>> the linux syslogd.
>>
>> Rich
>>
>> ------------------------
>>
>>> Tried it just then, but still no messages in syslog...
>>>
>>> Steve
>>>
>>>
>>>> -----Original Message-----
>>>> From: Matt [mailto:matt at ...12315...]
>>>> Sent: Tuesday, 24 August 2004 1:18 PM
>>>> To: Steve
>>>> Subject: Re: [Snort-users] Syslogging question
>>>>
>>>>
>>>> Sorry I Didnt read,
>>>> :)
>>>> just for curiosity sake did you try it?
>>>>
>>>>
>>>> Steve wrote:
>>>>
>>>>> Matt,
>>>>>
>>>>> As I read it, the host= format only applies to the win32 version,  
>>>>> not
>> the
>>>>> Unix version...
>>>>>
>>>>> Steve
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Matt [mailto:matt at ...12315...]
>>>>>> Sent: Monday, 23 August 2004 3:14 PM
>>>>>> To: Steve
>>>>>> Cc: snort-users at lists.sourceforge.net
>>>>>> Subject: Re: [Snort-users] Syslogging question
>>>>>>
>>>>>> ################################################################## 
>>>>>> ##
>>>>>> # Step #3: Configure output plugins
>>>>>> #
>>>>>> # Uncomment and configure the output plugins you decide to use.
>> General
>>>>>> # configuration for output plugins is of the form:
>>>>>> #
>>>>>> # output <name_of_plugin>: <configuration_options>
>>>>>> #
>>>>>> # alert_syslog: log alerts to syslog
>>>>>> # ----------------------------------
>>>>>> # Use one or more syslog facilities as arguments. Win32 can also
>>>>>> optionally
>>>>>> # specify a particular hostname/port. Under Win32, the default
>> hostname
>>>> is
>>>>>> # '127.0.0.1', and the default port is 514.
>>>>>> #
>>>>>> # [Unix flavours should use this format...]
>>>>>> # output alert_syslog: LOG_AUTH LOG_ALERT
>>>>>> #
>>>>>> # [Win32 can use any of these formats...]
>>>>>> # output alert_syslog: LOG_AUTH LOG_ALERT
>>>>>> # output alert_syslog: host=localhost, LOG_AUTH LOG_ALERT
>>>>>> # output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT
>>>>>>
>>>>>> Try this:
>>>>>>
>>>>>> output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT
>>>>>>
>>>>>> HTH
>>>>>> Matt
>>>>>>
>>>>>>
>>>>>>
>>>>>> Steve wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> New to the list, new to Linux, new to Snort, but trying hard!
>>>>>>>
>>>>>>> I have installed Smoothwall Express V2, and I'm having fun  
>>>>>>> setting
>>>>>>> things up and learning about all these things. But I'm stumped on
>> one
>>>>>>> thing. I have Kiwi Syslog Daemon running on a w2k3 box receiving
>>>>>>> syslog messages from Smoothwall and Linux. I've changed  
>>>>>>> syslog.conf
>> to
>>>>>>> accomplish this, adding:
>>>>>>>
>>>>>>> *.* @192.168.0.60
>>>>>>>
>>>>>>> at the end. Now all my Smoothwall logs are happily arriving at
>> Kiwi.
>>>>>>> But I'd like to get Snort messages there too. I've changed
>> snort.conf
>>>>>>> to uncomment the line:
>>>>>>>
>>>>>>> output alert_syslog: LOG_AUTH LOG_ALERT
>>>>>>>
>>>>>>> but don't see any Snort messages in syslog. What else do I need  
>>>>>>> to
>> do?
>>>>>>> I've trawled the web and archives but found nothing definitive,
>> only
>>>>>>> lots of people asking similar questions. Sorry if this has been
>>>>>>> covered before.
>>>>>>>
>>>>>>> While I'm here, there is one other syslog-related problem,  
>>>>>>> although
>>>>>>> not with Snort. After Smoothwall boot, it takes about 5 minutes  
>>>>>>> for
>>>>>>> Kiwi to start receiving anything from Smoothwall, even though
>>>>>>> Smoothwall in the meantime logs messages.
>>>>>>>
>>>>>>> I have asked these questions on the Smoothwall list, but have
>> received
>>>>>>> no answers, so hoping someone here can help. Cheers.
>>>>>>>
>>>>>>> *Steve*
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> -------------------------------------------------------
>>>>> SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank
>> Media
>>>>> 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
>>>>> Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
>>>>> http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
>>>>> _______________________________________________
>>>>> Snort-users mailing list
>>>>> Snort-users at lists.sourceforge.net
>>>>> Go to this URL to change user options or unsubscribe:
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>> Snort-users list archive:
>>>>> http://www.geocrawler.com/redir-sf.php3?list=ort-users
>>>>>
>>>>>
>>>>>
>>>
>>>
>>>
>>>
>>> -------------------------------------------------------
>>> SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank  
>>> Media
>>> 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
>>> Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
>>> http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list
>>
>> ---------------End of Original Message-----------------
>>
>
>
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
> 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
> Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
> http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list