[Snort-users] [barnyard2-users] Logging to the Windows event log

Michael Steele michaels at ...9077...
Wed Jan 30 21:29:08 EST 2013


Rich,

Yes, that logs events to the Application log in Windows, but Barnyard2 fails
to process events to the database?

If I remove the -E switch Barnyard2 processes events to the database.

It appears that selecting the -E switch disables all other logging
mechanisms?

Best regards,
Michael...

> -----Original Message-----
> From: barnyard2-users at ...14071... [mailto:barnyard2-
> users at ...14071...] On Behalf Of Rich Rumble
> Sent: Wednesday, January 30, 2013 8:43 PM
> To: barnyard2-users at ...14071...
> Subject: Re: [barnyard2-users] Logging to the Windows event log
> 
> On Wed, Jan 30, 2013 at 8:32 PM, Rich Rumble <richrumble at ...11827...>
> wrote:
> > On Wed, Jan 30, 2013 at 8:25 PM, Michael Steele
> <michaels at ...9077...> wrote:
> >> Snort used to log events to the Event Viewer under Application log,
> >> but apparently that function is no longer works.
> >>
> >> Using the below in the snort.conf used to work:
> >>
> >> output alert_syslog: LOG_AUTH LOG_ALERT
> >
> > Again this was a command line switch in snort not a CONF setting, I've
> > looked at the source and change logs, it should still be present from
> > what I can tell, try the "-E" option:
> > http://flylib.com/books/en/2.12.1.51/1/
> Just downloaded the latest
> (http://s3.amazonaws.com/snort-org/www/snort-
> current/20121129/Snort_2_9_4_Installer.exe)
> C:\Snort\bin>snort --help
> 
>    ,,_     -*> Snort! <*-
>   o"  )~   Version 2.9.4-WIN32 GRE (Build 40)
>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-team
>            Copyright (C) 1998-2012 Sourcefire, Inc., et al.
>            Using PCRE version: 8.10 2010-06-25
>            Using ZLIB version: 1.2.3
> 
> USAGE: snort [-options] <filter options>
>        snort /SERVICE /INSTALL [-options] <filter options>
>        snort /SERVICE /UNINSTALL
>        snort /SERVICE /SHOW
> Options:
>         -A         Set alert mode: fast, full, console, test or none
> (alert file alerts only)
>         -b         Log packets in tcpdump format (much faster!)
>         -B <mask>  Obfuscated IP addresses in alerts and packet dumps
using
> CIDR mask
>         -c <rules> Use Rules File <rules>
>         -C         Print out payloads with character data only (no hex)
>         -d         Dump the Application Layer
>         -e         Display the second layer header info
>         -E         Log alert messages to NT Eventlog. (Win32 only)
> <------------------------------------------------------------------
> I haven't had time to try it though...
> -rich
> 
> --
> 
> ---
> You received this message because you are subscribed to the Google Groups
> "barnyard2-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to barnyard2-users+unsubscribe at ...15441...
> For more options, visit https://groups.google.com/groups/opt_out.
> 
> 






More information about the Snort-users mailing list