[Snort-users] Remote syslogging with multiple interfaces

Matt Kettler mkettler at ...4108...
Tue Aug 9 21:44:27 EDT 2005


Kevin Ponds wrote:
> Hi all,
> 
> I have two interfaces on my sensors - a dedicated sniffing interface
> and a dedicated management interface.  The sniffing interfaces cannot
> talk on the network.
> 
> I'd like to send syslog events to a remote management machine. 
> However, snort is running on the sniff interface (eth1), and I believe
> it's trying to send the syslog stuff out that interface.  This doesn't
> work.   Is there any way to get snort to sniff on one interface and
> send syslog events on another?
> 
> I'm using:
> 
> output alert_syslog: host=192.168.40.104:514, LOG_AUTH LOG_ALERT
> 

Rather than get snort to do the redirection, why not have snort log to the local
syslogd (via normal unix sockets instead of IP sockets) and have syslog.conf
redirect the messages to a separate box?

(syslogd can do this easily.. instead of specifying an output file for the
messages you specify @192.168.40.104)

IMO this really the way it should be done anyway. Centralized logging control is
much more flexible than per-application logging control.

You also get the option of logging a duplicate copy locally, should you desire
to do so.





More information about the Snort-users mailing list