[Snort-users] Best practice for logging alerts to syslog

Joel Esler jesler at ...1935...
Mon Dec 17 10:03:12 EST 2012


On Dec 15, 2012, at 10:11 PM, Tony Robinson <deusexmachina667 at ...11827...> wrote:

> Wanted to ask a question regarding what is best practice for snort to log alerts to syslog -- is it the better practice to have snort itself, via snort.conf handle this, or should barnyard2 be installed, snort configured to log to unified 2 and barnyard 2 handle logging to syslog? I'm asking because the next thing I'd like to do for autosnort is offer a configuration option to log to syslog (for SIEM integration to something like splunk, graylog2, etc.) if the user wasn't interested in a web front-end and wanted to know what the accepted/best practice was here.

I'd personally prefer to have Snort output to unified2 and have barnyard2 deal with it.

Allows for much more than just syslog in that case.  You know, in case Snort dies or something, at least the logs are there for backup.

Just my druthers.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121217/ca6c21aa/attachment.html>


More information about the Snort-users mailing list