[Snort-users] How to best do DB *and* syslog logging?

Martin Holste mcholste at ...11827...
Wed Nov 30 14:32:41 EST 2011


It's tough to beat Snorby for just Snort data, but if you'd also like
your console to contain URL data and router/server logs, and since
you're already doing syslog, you may want to check out my ELSA
project: http://code.google.com/p/enterprise-log-search-and-archive/ .

On Wed, Nov 30, 2011 at 1:03 PM, beenph <beenph at ...11827...> wrote:
> On Wed, Nov 30, 2011 at 11:45 AM, Miguel Alvarez <miguellvrz9 at ...11827...> wrote:
>> Right now, I'm logging my snort alerts back to a syslog server but I'd
>> like to start playing with Snorby.  Please correct me if I'm wrong but
>> I think the ideal way to do this would be to log via unified2 and use
>> barnyard to send the alert data to snorby's DB but I can't lose my
>> syslog functionality.  I really wish barnyard was able to do this on
>> non-Windows boxes!  But what would be the best way to achieve this
>> short of running two separate snort instances?
>>
> If you need local syslog and forward them, barnyard2 currently support
> this on windows and non windows system.
>
> If you need remote syslog logging
>
> You can access the feature in its current branch branch via
>
> https://github.com/binf/barnyard2/tree/RemoteSyslogFix
>
> Also
> If you look in the provided barnyard2.conf you can see output plugin
> conf example.
>
> Note that it use a slightly different logging message format from the
> default snort format,
> but you have the possibility to configure field delimiters and
> separators from the config file.
>
> Configuration example for remote syslog
> # alert_syslog
> # ----------------------------------------------------------------------------
> #
> # Purpose:
> # This output module provides the abilty to output alert information
> to local syslog
> #
> # severity - as defined in RFC 3164 (eg. LOG_WARN, LOG_INFO)
> # facility - as defined in RFC 3164 (eg. LOG_AUTH, LOG_LOCAL0)
> #
> # Examples:
> # output alert_syslog
> # output alert_syslog: LOG_AUTH LOG_INFO
> #
> # syslog_full
> #-------------------------------
> # Available as both a log and alert output plugin. Used to output data
> via TCP/UDP
> # Arguments:
> # sensor_name $sensor_name - unique sensor name
> # server $server - server the device will report to
> # protocol $protocol - protocol device will report over (tcp/udp)
> # port $port - destination port device will report to (default: 514)
> # detail $detail_threshold - specify full/complete log reporting or
> only summaries.
> # delimiters - define a character that will delimit message sections
> ex: "|", will use | as message section delimiters. (default: |)
> # separators - define field separator included in each message ex: " "
> , will use space as field separator. (default: [:space:])
> # output alert_syslog_full: sensor_name snortIds1-eth2, server
> xxx.xxx.xxx.xxx, protocol udp, port 514
> # output log_syslog_full: sensor_name snortIds1-eth2, server
> xxx.xxx.xxx.xxx, protocol udp, port 514
> # output alert_syslog_full: sensor_name snortIds1-eth2, server
> xxx.xxx.xxx.xxx, protocol tcp, port 514
> # output log_syslog_full: sensor_name snortIds1-eth2, server
> xxx.xxx.xxx.xxx, protocol tcp, port 514
>
> If you have barnyard2 related question, your also welcome to send it
> over the by2 ML's.
>
> -elz
>
> ------------------------------------------------------------------------------
> All the data continuously generated in your IT infrastructure
> contains a definitive record of customers, application performance,
> security threats, fraudulent activity, and more. Splunk takes this
> data and makes sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-novd2d
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>




More information about the Snort-users mailing list