[Snort-users] Send snort alerts via syslog to ArcSight

beenph beenph at ...11827...
Mon Oct 1 17:22:19 EDT 2012


On Mon, Oct 1, 2012 at 5:05 PM, Joel Esler <jesler at ...1935...> wrote:
> I believe (and that means I'm probably totally wrong about this), but I
> believe barnyard's syslog format differs slightly from the built in Snort
> format.
>
> Someone correct me if I wrong on that?

@joel
2-1.10 uses the same format if someone uses syslog_full output plugin.


@Pablo
download barnyard2 2-1.10

and configure the following output plugin:

# syslog_full
#-------------------------------
# Available as both a log and alert output plugin. Used to output data
via TCP/UDP or LOCAL ie(syslog())
# Arguments:
# sensor_name $sensor_name - unique sensor name
# server $server - server the device will report to
# local - if defined, ignore all remote information and use syslog()
to send message.
# protocol $protocol - protocol device will report over (tcp/udp)
# port $port - destination port device will report to (default: 514)
# delimiters $delimiters - define a character that will delimit
message sections ex: "|", will use | as message section delimiters.
(default: |)
# separators $separators - define field separator included in each
message ex: " " , will use space as field separator. (default:
[:space:])
# operation_mode $operaion_mode - default | complete : default mode is
compatible with default snort syslog message, complete prints more
information such as the raw packet (hexed)
# log_priority $log_priority - used by local option for syslog
priority call. (man syslog(3) for supported options) (default:
LOG_INFO)
# log_facility $log_facility - used by local option for syslog
facility call. (man syslog(3) for supported options) (default:
LOG_USER)
# Usage Examples:
# output alert_syslog_full: sensor_name snortIds1-eth2, server
xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode default
# output alert_syslog_full: sensor_name snortIds1-eth2, server
xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode complete
# output log_syslog_full: sensor_name snortIds1-eth2, server
xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode default
# output log_syslog_full: sensor_name snortIds1-eth2, server
xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode complete
# output alert_syslog_full: sensor_name snortIds1-eth2, server
xxx.xxx.xxx.xxx, protocol udp, port 514
# output log_syslog_full: sensor_name snortIds1-eth2, server
xxx.xxx.xxx.xxx, protocol udp, port 514
# output alert_syslog_full: sensor_name snortIds1-eth2, local
# output log_syslog_full: sensor_name snortIds1-eth2, local,
log_priority LOG_CRIT,log_facility LOG_CRON

Just make sure that operation_mode is set to default and it should be
like snort syslog output.

-elz




More information about the Snort-users mailing list