[Snort-users] Remote syslogging with multiple interfaces

Kevin Ponds kponds at ...11827...
Mon Aug 8 11:54:29 EDT 2005


Hi all,

I have two interfaces on my sensors - a dedicated sniffing interface
and a dedicated management interface.  The sniffing interfaces cannot
talk on the network.

I'd like to send syslog events to a remote management machine. 
However, snort is running on the sniff interface (eth1), and I believe
it's trying to send the syslog stuff out that interface.  This doesn't
work.   Is there any way to get snort to sniff on one interface and
send syslog events on another?

I'm using:

output alert_syslog: host=192.168.40.104:514, LOG_AUTH LOG_ALERT

in snort.conf rather than using -s on the command line ( -s wouldn't
allow me to run snort since the interface didn't have an IP).

I would imagine that this would just work without having to mess
around with interfaces, but I am not seeing any events on my
management box or out of tcpdump -i eth1 on the snort sensor.



Thanks,

Kevin




More information about the Snort-users mailing list