[Snort-users] Best practice for logging alerts to syslog

Tony Robinson deusexmachina667 at ...11827...
Mon Dec 17 18:25:52 EST 2012


I was really learning towards that, since the purpose of by2 is to offload
output formatting to begin with, but this really confirms it.

Thanks,

DA

On Mon, Dec 17, 2012 at 10:03 AM, Joel Esler <jesler at ...1935...> wrote:

> On Dec 15, 2012, at 10:11 PM, Tony Robinson <deusexmachina667 at ...11827...>
> wrote:
>
> Wanted to ask a question regarding what is best practice for snort to log
> alerts to syslog -- is it the better practice to have snort itself, via
> snort.conf handle this, or should barnyard2 be installed, snort configured
> to log to unified 2 and barnyard 2 handle logging to syslog? I'm asking
> because the next thing I'd like to do for autosnort is offer a
> configuration option to log to syslog (for SIEM integration to something
> like splunk, graylog2, etc.) if the user wasn't interested in a web
> front-end and wanted to know what the accepted/best practice was here.
>
>
> I'd personally prefer to have Snort output to unified2 and have barnyard2
> deal with it.
>
> Allows for much more than just syslog in that case.  You know, in case
> Snort dies or something, at least the logs are there for backup.
>
> Just my *druthers*.
>
> --
> *Joel Esler*
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
>



-- 
when does reality end? when does fantasy begin?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121217/077fa9e5/attachment.html>


More information about the Snort-users mailing list