[Snort-users] [snort-users] alert_syslog and remote syslogs: win32 only?

GravyFace gravyface at ...11827...
Fri Aug 7 19:30:18 EDT 2009


Hello,

Running snort as follows (eth0 is 192.168.0.10):

snort -c /etc/snort/snort.conf -pDs -A fast -l /var/log/snort -i eth0

snort.conf:
===========
var RULE_PATH /etc/snort/rules/
output alert_syslog: host=192.168.0.3, LOG_AUTH LOG_ALERT
include $RULE_PATH/test.rules

test.rules:
========
#test rule
alert icmp any any -> 192.168.0.10/32 any (msg:"ICMP";sid:501;)

log file shows 4 pings in fast format ok, so I know the rules are
working, but I'm not seeing anything on my syslog server.

The documentation seems to imply that this host:port parameter is for
win32, but assumed it was -- as the docs mention -- because win32
doesn't have syslog, but that it would still work under Linux.

Am I wrong? If so, what's the recommended method of doing remote syslogging?




More information about the Snort-users mailing list