[Snort-users] Barnyard Not Outputting to Syslog

infosec posts infosec.posts at ...11827...
Thu Feb 4 11:07:12 EST 2010


I have a snort/barnyard implementation that has been sending alerts to
a remote mysql instance since its inception.  Now, I would like to
also have barnyard send alerts to syslog.  I've reviewed the setup
guides at snort.org and what documenation or pointers I can find via
google, but I haven't come up with any information that is helping me
to correct the issue.

When I enable the syslog output directly in the snort conf, with the
same string I'm using in the barnyard.conf, I get syslog entries
as/where expected, so my local syslog is working fine.  I've tried the
configuration below, using alert_syslog with a remote syslog server,
and also using barnyard's alert_syslog2 plugin both locally and
remotely, but barnyard just doesn't seem to fire anything off to
syslog (when using alert_syslog2, tcpdump on the snort box shows no
traffic attempting to go to the remote machine).  I have continued to
receive events to the remote mysql instance in all of these syslog
test configurations.

====barnyard.conf====
output alert_syslog: LOG_LOCAL4 LOG_ALERT

====snort.conf====
output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.log, limit 128

====syslog.conf====
#test section for snort
local4.*                                                /var/log/snort-sl-log

====barnyard run string====
 /usr/local/bin/barnyard -c /etc/snort/barnyard.conf -d /var/log/snort
-w /etc/snort/waldo2 -f snort.log


I'm probably missing something minor/obvious, but I'm stumped, so I'd
appreciate any assistance.

Thanks.




More information about the Snort-users mailing list