[Snort-users] How to best do DB *and* syslog logging?

beenph beenph at ...11827...
Wed Nov 30 14:03:17 EST 2011


On Wed, Nov 30, 2011 at 11:45 AM, Miguel Alvarez <miguellvrz9 at ...11827...> wrote:
> Right now, I'm logging my snort alerts back to a syslog server but I'd
> like to start playing with Snorby.  Please correct me if I'm wrong but
> I think the ideal way to do this would be to log via unified2 and use
> barnyard to send the alert data to snorby's DB but I can't lose my
> syslog functionality.  I really wish barnyard was able to do this on
> non-Windows boxes!  But what would be the best way to achieve this
> short of running two separate snort instances?
>
If you need local syslog and forward them, barnyard2 currently support
this on windows and non windows system.

If you need remote syslog logging

You can access the feature in its current branch branch via

https://github.com/binf/barnyard2/tree/RemoteSyslogFix

Also
If you look in the provided barnyard2.conf you can see output plugin
conf example.

Note that it use a slightly different logging message format from the
default snort format,
but you have the possibility to configure field delimiters and
separators from the config file.

Configuration example for remote syslog
# alert_syslog
# ----------------------------------------------------------------------------
#
# Purpose:
# This output module provides the abilty to output alert information
to local syslog
#
# severity - as defined in RFC 3164 (eg. LOG_WARN, LOG_INFO)
# facility - as defined in RFC 3164 (eg. LOG_AUTH, LOG_LOCAL0)
#
# Examples:
# output alert_syslog
# output alert_syslog: LOG_AUTH LOG_INFO
#
# syslog_full
#-------------------------------
# Available as both a log and alert output plugin. Used to output data
via TCP/UDP
# Arguments:
# sensor_name $sensor_name - unique sensor name
# server $server - server the device will report to
# protocol $protocol - protocol device will report over (tcp/udp)
# port $port - destination port device will report to (default: 514)
# detail $detail_threshold - specify full/complete log reporting or
only summaries.
# delimiters - define a character that will delimit message sections
ex: "|", will use | as message section delimiters. (default: |)
# separators - define field separator included in each message ex: " "
, will use space as field separator. (default: [:space:])
# output alert_syslog_full: sensor_name snortIds1-eth2, server
xxx.xxx.xxx.xxx, protocol udp, port 514
# output log_syslog_full: sensor_name snortIds1-eth2, server
xxx.xxx.xxx.xxx, protocol udp, port 514
# output alert_syslog_full: sensor_name snortIds1-eth2, server
xxx.xxx.xxx.xxx, protocol tcp, port 514
# output log_syslog_full: sensor_name snortIds1-eth2, server
xxx.xxx.xxx.xxx, protocol tcp, port 514

If you have barnyard2 related question, your also welcome to send it
over the by2 ML's.

-elz




More information about the Snort-users mailing list