[Snort-users] Remote syslogging with multiple interfaces

Joshua Berry jberry at ...11848...
Tue Aug 9 21:18:15 EDT 2005

Are you running snort on a windows or linux box?  If linux, the
host=<ip_address> means nothing, you have to configure the remote syslog
server in your syslog.conf (snort will log locally and the syslog
process will log to the remote syslog server).

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Kevin
Sent: Monday, August 08, 2005 1:51 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Remote syslogging with multiple interfaces

Hi all,

I have two interfaces on my sensors - a dedicated sniffing interface and
a dedicated management interface.  The sniffing interfaces cannot talk
on the network.

I'd like to send syslog events to a remote management machine. 
However, snort is running on the sniff interface (eth1), and I believe
it's trying to send the syslog stuff out that interface.  This doesn't
work.   Is there any way to get snort to sniff on one interface and
send syslog events on another?

I'm using:

output alert_syslog: host=, LOG_AUTH LOG_ALERT

in snort.conf rather than using -s on the command line ( -s wouldn't
allow me to run snort since the interface didn't have an IP).

I would imagine that this would just work without having to mess around
with interfaces, but I am not seeing any events on my management box or
out of tcpdump -i eth1 on the snort sensor.



SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle
Practices Agile & Plan-Driven Development * Managing Projects & Teams *
Testing & QA Security * Process Improvement & Measurement *
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list