[Snort-users] [snort-users] alert_syslog and remote syslogs: win32 only?

gravyface gravyface at ...11827...
Mon Aug 17 10:09:36 EDT 2009

On Fri, Aug 14, 2009 at 4:01 PM, Frank Knobbe<frank at ...9761...> wrote:
> On Fri, 2009-08-07 at 19:30 -0400, GravyFace wrote:
>> snort -c /etc/snort/snort.conf -pDs -A fast -l /var/log/snort -i eth0
>> snort.conf:
>> ===========
>> var RULE_PATH /etc/snort/rules/
>> output alert_syslog: host=, LOG_AUTH LOG_ALERT
>> include $RULE_PATH/test.rules
>> [...]
>> The documentation seems to imply that this host:port parameter is for
>> win32, but assumed it was -- as the docs mention -- because win32
>> doesn't have syslog, but that it would still work under Linux.
>> Am I wrong? If so, what's the recommended method of doing remote syslogging?
> Oh, that brings back memories... since I had submitted the patch to
> enable syslog under Win32 back in... 2001? 2000?
> Anyway, yes, if you run *nix, then the syslog directive will cause the
> packet to be written to the local syslog. If you want to send any
> packets to another syslog server, you have to modify the syslog config
> to enable forwarding of alerts.

Not quite I understand the reasoning behind forcing *nix to write to
the local syslog only: it seems a bit cleaner to allow local or remote
from within Snort, depending on the config value, with a default of
remote if Win32 vs. local for *nix in the config. No need for any
filtering/syslog-ng that way.

> I'm not sure what syslog daemon you use. I prefer syslog-ng which is
> highly customizable, and can be configured to only forward Snort alerts
> to a remote server.

I'm using syslogd; it's sending all auth.alert events to the remote
syslog.  It's working well.

> Hope that helps,
> Frank

More information about the Snort-users mailing list