[Snort-users] Snort and multiple logging

Jefferson, Shawn Shawn.Jefferson at ...14448...
Wed Oct 6 14:40:47 EDT 2010


Hi,

I'm doing this exactly, with Snort and Barnyard2.

Alerts go to syslog on the sensor, as well as to a BASE MySQL database.  The syslogs are sent to a central log server (EnVision) and also read by a local OSSEC agent.

It all works fine.


-----Original Message-----
From: egoitz at ...14994... [mailto:egoitz at ...14994...] 
Sent: October 06, 2010 10:49 AM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort and multiple logging

Hi all,

But I needed to generate file logs in order to OSSEC to be configured to
read it and doing active responses... (OSSEC AFAIK doesn't read from
mysql) and wanted to have a web gui for real time monitoring status of
intrusion activity and so... those banyard2 files are able to be read by
ossec? or could I say to barnyard2 to send to one remote syslog server the
logs (for ossec to be able to read them) and too... to a mysql server for
base to read them and display moment statistics??

thanks a lot for all you're help.
bye!!


> Egoitz,
>
> 1. I would strongly recommend using Barnyard2 for your output processing
> if
> you are not already. There are several how-to documents available on
> setting
> this up on http://www.snort.org/docs/setup-guides/; pick the paper that
> best
> matches your OS or flavor of Linux. Each Snort instance can be set up to
> send its output to a remote syslog server and MySQL database via Barnyard
> simultaneously.
>
> 2. I would also strongly recommend using BASE instead of ACID. ACID is no
> longer being maintained.
>
> Happy Snorting!
>
> Nick
>
>
> On Wed, Oct 6, 2010 at 6:38 AM, <egoitz at ...14994...> wrote:
>
>> Hello all,
>>
>> I would like to know if I can configure snort to output logs to a remote
>> syslog and simultaneously to a mysql database. The reason of doing this
>> this way is for using ACID (that reads from mysql and works in realtime)
>> and for ossec active responses wich requires logs to be in a log file...
>> So like I plan to have several snort servers for sharing the load (each
>> snort scanning each switch traffic) I'm planning to log all snort
>> servers
>> to a remote syslog (whose file is going to be scanned constantly by
>> ossec
>> and executing active responses) and simutaneously to mysql in order to
>> acid to be able to display ids collected data in realtime.
>>
>>
>> Could be this possible mates?? to log simultaneously to remote syslog
>> and
>> to mysql??... or is it any other advisable way of achieving this goal??.
>>
>> Thanks a lot.
>> Bye!
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Beautiful is writing same markup. Internet Explorer 9 supports
>> standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
>> Spend less time writing and  rewriting code and more time creating great
>> experiences on the web. Be a part of the beta today.
>> http://p.sf.net/sfu/beautyoftheweb
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
>
>
> --
> Nick Moore, SFCE, CISSP, CISA
> Sr. Systems Engineer
> Voice 708-336-9041
> Email nick.moore at ...1935...
> IM    nickgmoore (Yahoo)
>        nickgmoore38 (AIM)
>
>     ,,_
>    o"  )~   Sourcefire - The Creators of Snort
>     ''''
>
> www.sourcefire.com         www.snort.org
>



------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list