[Snort-users] Syslog Help

Kevin Ross kevross33 at ...14012...
Mon Mar 18 08:20:50 EDT 2013


I usually use unified 2 to barnyard which sends logs into mysql. Now I have
the need to send Syslog into another log collector. I haven't used syslog
for snort output in a while but I have never had these issues before.

I have configured the syslog output in multiple ways and even though alerts
are processed and sent into mysql database it never generates syslog
alerts. I have captured traffic with tcpdump from the box and nothing is
sent. Does anyone have any ideas what is needed? I just need it to send
generic syslog (and I have checked the usual, network connectivity the
collector is there, firewalls not in way etc). Strange thing is when run in
continuous mode it says it is using syslog and has the IP, port, mode etc.

Thanks for any help,

output alert_syslog_full: sensor_name NAME, server 10.X.X.X.X, protocol
udp, port 514, operation_mode default (tried complete and other options too)

# snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version GRE (Build 69)
   ''''    By Martin Roesch & The Snort Team:
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.1.1
           Using PCRE version: 8.12 2011-01-15
           Using ZLIB version: 1.2.5

# barnyard2 -V

  ______   -*> Barnyard2 <*-
 / ,,_  \  Version 2.1.12 (Build 321)
 |o"  )~|  By Ian Firns (SecurixLive): http://www.securixlive.com/
 + '''' +  (C) Copyright 2008-2013 Ian Firns <firnsy at ...14568...>

# ps aux | grep barn
root     18725 77.4  3.6  91792 73064 ?        Rs   12:11   2:29
/usr/local/bin barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort/ -f
snort.u2 -w /var/log/snort/bylog.waldo -D

# ps aux | grep snort
snort    18698 73.3 16.1 745592 325160 ?       Rsl  12:11   2:53
/usr/local/bin snort -D -i em1 -u snort -g snort -c /etc/snort/snort.conf
-l /var/log/snort/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130318/fb94ed78/attachment.html>

More information about the Snort-users mailing list