[Snort-users] barnyard: alert_syslog2 not working
Andrew R. Baker
andrewb at ...950...
Tue Oct 12 08:53:30 EDT 2004
Botwick, Jason (Genworth, Contractor) wrote:
> Here is my barnyard.conf file
> config hostname: x.x.x.x
> config interface: x
> output alert_syslog2: severity: NOTICE; facility: LOCAL1;
> #output alert_syslog: LOG_LOCAL2 LOG_ALERT LOG_NDELAY
> Here are the lines I added to the syslog.conf file:
> I SIGHUP'd both syslogd and barnyard. I even tried rebooting once, but
> Running the command:
> barnyard -o snort.eth1.alert.1097060734 -c /etc/snort/barnyard.conf
> Produces no output in /var/log/barnyard.log
> I have Snort configured to output in unified format. I know that this is
> working because I can get Barnyard to log to a database, and also the
> alert_syslog plugin works fine (using the commented directive above).
> Any ideas why the old syslog plugin works, but the new one doesn't? What am
> I forgetting?
The new syslog2 output plug-in uses UDP sockets to send syslog events to
the remote server. This was done to allow it to be used on systems
without a local syslog daemon. The most likely scenario is that your
local syslog daemon is not accepting syslog messages over UDP. In order
to use the syslog2 output plug-in you will need to enable this support.
P.S. Barnyard related questions will get my attention much more quickly
on the Barnyard mailing lists at SourceForge.
More information about the Snort-users