[Snort-users] [snort-users] alert_syslog and remote syslogs: win32 only?

Frank Knobbe frank at ...9761...
Fri Aug 14 16:01:37 EDT 2009


On Fri, 2009-08-07 at 19:30 -0400, GravyFace wrote:
> snort -c /etc/snort/snort.conf -pDs -A fast -l /var/log/snort -i eth0
> 
> snort.conf:
> ===========
> var RULE_PATH /etc/snort/rules/
> output alert_syslog: host=192.168.0.3, LOG_AUTH LOG_ALERT
> include $RULE_PATH/test.rules
> [...]

> The documentation seems to imply that this host:port parameter is for
> win32, but assumed it was -- as the docs mention -- because win32
> doesn't have syslog, but that it would still work under Linux.
> 
> Am I wrong? If so, what's the recommended method of doing remote syslogging?


Oh, that brings back memories... since I had submitted the patch to
enable syslog under Win32 back in... 2001? 2000?

Anyway, yes, if you run *nix, then the syslog directive will cause the
packet to be written to the local syslog. If you want to send any
packets to another syslog server, you have to modify the syslog config
to enable forwarding of alerts.

I'm not sure what syslog daemon you use. I prefer syslog-ng which is
highly customizable, and can be configured to only forward Snort alerts
to a remote server.

Hope that helps,
Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 188 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090814/1fcc1fb3/attachment.sig>


More information about the Snort-users mailing list