[Snort-users] [snort-users] alert_syslog and remote syslogs: win32 only?

Frank Knobbe frank at ...9761...
Mon Aug 17 11:31:01 EDT 2009


On Mon, 2009-08-17 at 10:09 -0400, gravyface wrote:

> Not quite I understand the reasoning behind forcing *nix to write to
> the local syslog only: 

'cause that's the way syslog normally works. It's just a system call to
the log function. The application (Snort in this case) doesn't assemble
packets. It just calls a "log" function. The syslog daemon does the
rest.

> it seems a bit cleaner to allow local or remote
> from within Snort, depending on the config value, with a default of
> remote if Win32 vs. local for *nix in the config. No need for any
> filtering/syslog-ng that way.

In Windows the only way to do syslog is to assemble the packet and put
it on the wire. That's the only reason there is an option for a remote
server.

It's actually nicer to have the *nix syslog daemon send the message. For
one, it's less work for Snort, less CPU cycles for logging, and Snort
can allocate more CPU for what it's intended to do, analyze packets.

The other reason is that, once the "log" call has been made, and Snort
is done, the syslog daemon can filter the data if desired, and send to
as many remote machines as you configure, without burdening Snort. 


Cheers,
Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 188 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090817/444b2196/attachment.sig>


More information about the Snort-users mailing list