[Snort-users] [snort-users] alert_syslog and remote syslogs: win32 only?

gravyface gravyface at ...11827...
Mon Aug 17 11:52:22 EDT 2009


On Mon, Aug 17, 2009 at 11:31 AM, Frank Knobbe<frank at ...9761...> wrote:
> On Mon, 2009-08-17 at 10:09 -0400, gravyface wrote:
>
>> Not quite I understand the reasoning behind forcing *nix to write to
>> the local syslog only:
>
> 'cause that's the way syslog normally works. It's just a system call to
> the log function. The application (Snort in this case) doesn't assemble
> packets. It just calls a "log" function. The syslog daemon does the
> rest.
>
>> it seems a bit cleaner to allow local or remote
>> from within Snort, depending on the config value, with a default of
>> remote if Win32 vs. local for *nix in the config. No need for any
>> filtering/syslog-ng that way.
>
> In Windows the only way to do syslog is to assemble the packet and put
> it on the wire. That's the only reason there is an option for a remote
> server.
>
> It's actually nicer to have the *nix syslog daemon send the message. For
> one, it's less work for Snort, less CPU cycles for logging, and Snort
> can allocate more CPU for what it's intended to do, analyze packets.
>
> The other reason is that, once the "log" call has been made, and Snort
> is done, the syslog daemon can filter the data if desired, and send to
> as many remote machines as you configure, without burdening Snort.
>
>
> Cheers,
> Frank

Very good explanation, Frank.  Makes sense to me now.




More information about the Snort-users mailing list