[Snort-users] Snort-users Digest, Vol 45, Issue 10

Willst Mail willstmail at ...11827...
Thu Feb 4 18:36:17 EST 2010

In response to Shawn Jefferson re: barnyard2,
The questioner mentions he wants to log to a remote syslog as well as local.
 Except on Windows, barnyard2 does not support sending syslog to a remote
host but instead relies on logging locally and having the local syslog
server forward the message on barnyard2's behalf.

Speaking of which, might the original poster try configuring local syslog to
forward messages to the remote host at least as a troubleshooting step to
ensure communication in general works between the two hosts?

> Message: 3
> Date: Thu, 4 Feb 2010 09:54:02 -0700
> From: "Jefferson, Shawn" <Shawn.Jefferson at ...14448...>
> Subject: Re: [Snort-users] Barnyard Not Outputting to Syslog
> To: infosec posts <infosec.posts at ...11827...>,
>        "snort-users at lists.sourceforge.net"
>        <snort-users at lists.sourceforge.net>
> Message-ID:
>  <D05BDFB6A6F4EE43ABE62D1A7170AF37128159E122 at ...14473...
> >
> Content-Type: text/plain; charset="us-ascii"
> I suggest you go to Barnyard2, it is currently supported and being
> developed.
> I had a similar setup once (I'm now using Barnyard2), and I believe you
> actually have to run two instances of barnyard, since barnyard doesn't seem
> to be able to send alerts to two different locations (that's my recollection
> anyway, as I said, now I'm using Barnyard2, and it definitely will do what
> you want.)
> -----Original Message-----
> From: infosec posts [mailto:infosec.posts at ...11827...]
> Sent: Thursday, February 04, 2010 8:07 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Barnyard Not Outputting to Syslog
> I have a snort/barnyard implementation that has been sending alerts to
> a remote mysql instance since its inception.  Now, I would like to
> also have barnyard send alerts to syslog.  I've reviewed the setup
> guides at snort.org and what documenation or pointers I can find via
> google, but I haven't come up with any information that is helping me
> to correct the issue.
> When I enable the syslog output directly in the snort conf, with the
> same string I'm using in the barnyard.conf, I get syslog entries
> as/where expected, so my local syslog is working fine.  I've tried the
> configuration below, using alert_syslog with a remote syslog server,
> and also using barnyard's alert_syslog2 plugin both locally and
> remotely, but barnyard just doesn't seem to fire anything off to
> syslog (when using alert_syslog2, tcpdump on the snort box shows no
> traffic attempting to go to the remote machine).  I have continued to
> receive events to the remote mysql instance in all of these syslog
> test configurations.
> ====barnyard.conf====
> output alert_syslog: LOG_LOCAL4 LOG_ALERT
> ====snort.conf====
> output alert_unified: filename snort.alert, limit 128
> output log_unified: filename snort.log, limit 128
> ====syslog.conf====
> #test section for snort
> local4.*
>  /var/log/snort-sl-log
> ====barnyard run string====
>  /usr/local/bin/barnyard -c /etc/snort/barnyard.conf -d /var/log/snort
> -w /etc/snort/waldo2 -f snort.log
> I'm probably missing something minor/obvious, but I'm stumped, so I'd
> appreciate any assistance.
> Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100204/f9fb749f/attachment.html>

More information about the Snort-users mailing list