[Snort-users] Remote syslogging with multiple interfaces
kponds at ...11827...
Tue Aug 9 12:36:15 EDT 2005
Thanks for the help all, assumed that letting snort do it was the
preferred way, but I'll do it with syslog.
On 8/8/05, Matt Kettler <mkettler at ...4108...> wrote:
> Kevin Ponds wrote:
> > Hi all,
> > I have two interfaces on my sensors - a dedicated sniffing interface
> > and a dedicated management interface. The sniffing interfaces cannot
> > talk on the network.
> > I'd like to send syslog events to a remote management machine.
> > However, snort is running on the sniff interface (eth1), and I believe
> > it's trying to send the syslog stuff out that interface. This doesn't
> > work. Is there any way to get snort to sniff on one interface and
> > send syslog events on another?
> > I'm using:
> > output alert_syslog: host=192.168.40.104:514, LOG_AUTH LOG_ALERT
> Rather than get snort to do the redirection, why not have snort log to the local
> syslogd (via normal unix sockets instead of IP sockets) and have syslog.conf
> redirect the messages to a separate box?
> (syslogd can do this easily.. instead of specifying an output file for the
> messages you specify @192.168.40.104)
> IMO this really the way it should be done anyway. Centralized logging control is
> much more flexible than per-application logging control.
> You also get the option of logging a duplicate copy locally, should you desire
> to do so.
More information about the Snort-users