[Snort-users] [snort-users] alert_syslog and remote syslogs: win32 only?

GravyFace gravyface at ...11827...
Fri Aug 7 19:30:18 EDT 2009


Running snort as follows (eth0 is

snort -c /etc/snort/snort.conf -pDs -A fast -l /var/log/snort -i eth0

var RULE_PATH /etc/snort/rules/
output alert_syslog: host=, LOG_AUTH LOG_ALERT
include $RULE_PATH/test.rules

#test rule
alert icmp any any -> any (msg:"ICMP";sid:501;)

log file shows 4 pings in fast format ok, so I know the rules are
working, but I'm not seeing anything on my syslog server.

The documentation seems to imply that this host:port parameter is for
win32, but assumed it was -- as the docs mention -- because win32
doesn't have syslog, but that it would still work under Linux.

Am I wrong? If so, what's the recommended method of doing remote syslogging?

More information about the Snort-users mailing list