[Snort-users] Remote syslogging with multiple interfaces

Kevin Ponds kponds at ...11827...
Tue Aug 9 12:36:15 EDT 2005


Thanks for the help all, assumed that letting snort do it was the
preferred way, but I'll do it with syslog.


Thanks,

Kevin

On 8/8/05, Matt Kettler <mkettler at ...4108...> wrote:
> Kevin Ponds wrote:
> > Hi all,
> >
> > I have two interfaces on my sensors - a dedicated sniffing interface
> > and a dedicated management interface.  The sniffing interfaces cannot
> > talk on the network.
> >
> > I'd like to send syslog events to a remote management machine.
> > However, snort is running on the sniff interface (eth1), and I believe
> > it's trying to send the syslog stuff out that interface.  This doesn't
> > work.   Is there any way to get snort to sniff on one interface and
> > send syslog events on another?
> >
> > I'm using:
> >
> > output alert_syslog: host=192.168.40.104:514, LOG_AUTH LOG_ALERT
> >
> 
> Rather than get snort to do the redirection, why not have snort log to the local
> syslogd (via normal unix sockets instead of IP sockets) and have syslog.conf
> redirect the messages to a separate box?
> 
> (syslogd can do this easily.. instead of specifying an output file for the
> messages you specify @192.168.40.104)
> 
> IMO this really the way it should be done anyway. Centralized logging control is
> much more flexible than per-application logging control.
> 
> You also get the option of logging a duplicate copy locally, should you desire
> to do so.
> 
>




More information about the Snort-users mailing list