[Snort-users] Best practice for logging alerts to syslog
deusexmachina667 at ...11827...
Mon Dec 17 18:25:52 EST 2012
I was really learning towards that, since the purpose of by2 is to offload
output formatting to begin with, but this really confirms it.
On Mon, Dec 17, 2012 at 10:03 AM, Joel Esler <jesler at ...1935...> wrote:
> On Dec 15, 2012, at 10:11 PM, Tony Robinson <deusexmachina667 at ...11827...>
> Wanted to ask a question regarding what is best practice for snort to log
> alerts to syslog -- is it the better practice to have snort itself, via
> snort.conf handle this, or should barnyard2 be installed, snort configured
> to log to unified 2 and barnyard 2 handle logging to syslog? I'm asking
> because the next thing I'd like to do for autosnort is offer a
> configuration option to log to syslog (for SIEM integration to something
> like splunk, graylog2, etc.) if the user wasn't interested in a web
> front-end and wanted to know what the accepted/best practice was here.
> I'd personally prefer to have Snort output to unified2 and have barnyard2
> deal with it.
> Allows for much more than just syslog in that case. You know, in case
> Snort dies or something, at least the logs are there for backup.
> Just my *druthers*.
> *Joel Esler*
> Senior Research Engineer, VRT
> OpenSource Community Manager
when does reality end? when does fantasy begin?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users