[Snort-users] Best practice for logging alerts to syslog

Tony Robinson deusexmachina667 at ...11827...
Mon Dec 17 18:25:52 EST 2012

I was really learning towards that, since the purpose of by2 is to offload
output formatting to begin with, but this really confirms it.



On Mon, Dec 17, 2012 at 10:03 AM, Joel Esler <jesler at ...1935...> wrote:

> On Dec 15, 2012, at 10:11 PM, Tony Robinson <deusexmachina667 at ...11827...>
> wrote:
> Wanted to ask a question regarding what is best practice for snort to log
> alerts to syslog -- is it the better practice to have snort itself, via
> snort.conf handle this, or should barnyard2 be installed, snort configured
> to log to unified 2 and barnyard 2 handle logging to syslog? I'm asking
> because the next thing I'd like to do for autosnort is offer a
> configuration option to log to syslog (for SIEM integration to something
> like splunk, graylog2, etc.) if the user wasn't interested in a web
> front-end and wanted to know what the accepted/best practice was here.
> I'd personally prefer to have Snort output to unified2 and have barnyard2
> deal with it.
> Allows for much more than just syslog in that case.  You know, in case
> Snort dies or something, at least the logs are there for backup.
> Just my *druthers*.
> --
> *Joel Esler*
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire

when does reality end? when does fantasy begin?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121217/077fa9e5/attachment.html>

More information about the Snort-users mailing list