[Snort-users] Syslog Help

Kevin Ross kevross33 at ...14012...
Mon Mar 18 10:49:52 EDT 2013


Yup barnyard2 great; what is always a good argument is I heard Snort cannot
write to database AND watch network at same time. So rather than having a
guard always watching door you have one who turns around to tell you
everything that happens before looking back :-)

So in barnyard2 to log to a remote host for typical syslog which is the
recommended line to have in barnyard2.conf? Also can I log to 2 different
destinations in the same config? i.e mysql writes remotely to one database
server and then syslog to a completely different host?

Thanks,
Kevin


On 18 March 2013 14:06, Joel Esler <jesler at ...1935...> wrote:

> On Mar 18, 2013, at 8:35 AM, Peter Bates <peter.bates at ...15381...> wrote:
>
> On 18/03/2013 12:20, Kevin Ross wrote:
>
> I usually use unified 2 to barnyard which sends logs into mysql. Now I have
> the need to send Syslog into another log collector. I haven't used syslog
> for snort output in a while but I have never had these issues before.
>
>
> We're sending syslog from Barnyard2 rather than Snort directly, with:
>
> output alert_syslog: LOG_LOCAL1
>
> - - i.e. local1 as the facility.
>
> I think we went this way after seeing weird results
> from using the syslog output plugin directly in Snort itself.
>
>
> I think the code that barnyard2 is using for their syslog output is a copy
> of the Snort syslog output.  I'm not sure if improvements have been made to
> this code, but I'd hope so.
>
> That being said, and I guess it bears repeating for the hundreds of new
> people on the list since I last said it, Snort should output in unified2
> and then barnyard2 should handle the output logging from there.
>
> --
> *Joel Esler*
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_mar
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130318/33359ce8/attachment.html>


More information about the Snort-users mailing list