[Snort-users] Remote syslogging with multiple interfaces

Charles Heselton charles.heselton at ...11827...
Tue Aug 9 20:25:41 EDT 2005


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Is your sensor configured for normal syslog messages to go to the
remote server?  You should be able to configure snort to log to the
local syslogd, and then have that configured to forward the data to
your LOGHOST.

- --
- - Charlie
 
5A27 58D2 C791 8769 D4A4  F316 7BF8 D1F6 4829 EDCF
 
 
 

> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net 
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of 
> Kevin Ponds
> Sent: Monday, August 08, 2005 11:51 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Remote syslogging with multiple interfaces
> 
> Hi all,
> 
> I have two interfaces on my sensors - a dedicated sniffing
> interface and a dedicated management interface.  The sniffing
> interfaces cannot talk on the network.
> 
> I'd like to send syslog events to a remote management machine. 
> However, snort is running on the sniff interface (eth1), and I
> believe it's trying to send the syslog stuff out that interface. 
> This doesn't work.   Is there any way to get snort to sniff on one
> interface and send syslog events on another?
> 
> I'm using:
> 
> output alert_syslog: host=192.168.40.104:514, LOG_AUTH LOG_ALERT
> 
> in snort.conf rather than using -s on the command line ( -s
> wouldn't allow me to run snort since the interface didn't have an
> IP).
> 
> I would imagine that this would just work without having to mess
> around with interfaces, but I am not seeing any events on my
> management box or out of tcpdump -i eth1 on the snort sensor.
> 
> 
> 
> Thanks,
> 
> Kevin
> 
> 
> -------------------------------------------------------
> SF.Net email is Sponsored by the Better Software Conference & EXPO
> September 19-22, 2005 * San Francisco, CA * Development 
> Lifecycle Practices
> Agile & Plan-Driven Development * Managing Projects & Teams * 
> Testing & QA
> Security * Process Improvement & Measurement * 
> http://www.sqe.com/bsce5sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=ort-users

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBQvfGK3v40fZIKe3PEQIJRgCg/kFyHT8SBK0T8KSMMuAynQc28LYAoIK8
6BLEITUw9CWWXCjul78BaOee
=aY7/
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list