[Snort-users] Remote syslogging of snort

Esler, Joel - Contractor joel.esler at ...9426...
Wed Jul 14 12:12:54 EDT 2004

Excerpt from Snort Users manual http://www.snort.org/docs

2.11 Output Modules

Output modules are new as of version 1.6. They allow Snort to be much
more flexible in the formatting and presentation of output to its users.
The output modules are run when the alert or logging subsystems of Snort
are called, after the preprocessors and detection engine. The format of
the directives in the rules file is very similar to that of the

Multiple output plugins may be specified in the Snort configuration
file. When multiple plugins of the same type (log, alert) are specified,
they are stacked and called in sequence when an event occurs. As with
the standard logging and alerting systems, output plugins send their
data to /var/log/snort by default or to a user directed directory (using
the -l command line switch).

Output modules are loaded at runtime by specifying the output keyword in
the rules file:

output <name>: <options>

Figure 2.28: Output Module Configuration Example
\begin{figure}\begin{verbatim}output alert_syslog: LOG_AUTH

2.11.1 Alert_syslog

This module sends alerts to the syslog facility (much like the -s
command line switch). This module also allows the user to specify the
logging facility and priority within the Snort rules file, giving users
greater flexibility in logging alerts. Available keywords Options

    * LOG_CONS
    * LOG_PID Facilities

    * LOG_AUTH
    * LOG_LOCAL0
    * LOG_LOCAL1
    * LOG_LOCAL2
    * LOG_LOCAL3
    * LOG_LOCAL4
    * LOG_LOCAL5
    * LOG_LOCAL6
    * LOG_LOCAL7
    * LOG_USER Priorities

    * LOG_CRIT
    * LOG_ERR
    * LOG_INFO

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Paul
Sent: Wednesday, July 14, 2004 11:38 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Remote syslogging of snort

I'm trying to set up snort to do remote sysloging.  So I put this line
the snort.conf file:

output alert_syslog: local1.debug

But when I restart snort, I get this error message in /var/log/messages:

 WARNING /usr/local/etc/snort.conf (419) => Unrecognized syslog 
facility/priority: local1.debug

Does snort not recognize the local logging facilities?  Or do I have a 
syntax error?

(/etc/syslog.conf reads "local1.debug    @{sysloghost}

Sysloghost /etc/syslog.conf reads "local1.debug     /var/log/snort.log)

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member

This SF.Net email sponsored by Black Hat Briefings & Training. Attend
Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list