[Snort-users] snort syslog output support

James Lay digitalx00 at ...11827...
Fri Sep 14 06:57:21 EDT 2012


On Sep 14, 2012, at 12:22 AM, Randal T. Rioux <randy at ...13561...> wrote:

> On 5/30/2012 8:33 AM, James Lay wrote:
>> On May 30, 2012, at 5:51 AM, Kungu Panda wrote:
>>> I need to send snort syslog alerts to out central syslog system.  I
>>> thought I read in a previous posting that snort syslog output was
>>> going away.  Is this still true, has it happened?
>>> 
>>> What would be the best way to perform this? Any
>>> recommendations/ideas would be helpful.
>>> 
>>> Thanks! KPanda
>> 
>> 
>> I certainly hope not….having IDS go to syslog is a PCI requirement
>> (Section 10 of PCI DSS 2.0).  Not having this would be bad.
> 
> Hey kids. I'm back. Catching up on email lists - I'm up to May. Been a
> little... distracted.
> 
> Is the language verbatim that "syslog" must send the alerts, or that
> they just need to be collected and stored? For example, Ci$co uses SDEE,
> but I've never seen that fail a PCI audit.
> 
> I'd look it up myself, but my dog just farted on me and I need to get
> away fast.
> 
> Randy
> 
> 

Negative.  PCI DSS 2.0 requires a "central logging server".  How you log and strs is up to you.

James



More information about the Snort-users mailing list