[Snort-users] Syslog Help

beenph beenph at ...11827...
Wed Mar 20 08:02:47 EDT 2013


On Wed, Mar 20, 2013 at 7:39 AM, Kevin Ross <kevross33 at ...14012...> wrote:
> Ok I have tried and nothing on loopback :( I am sure this is working because
> other logging formats work so just not syslog. I have attached my recent
> barnyard2.conf file and I think I already posted what it is running as.
>

Hi Kevin,

If you try to log to local syslog for testing purpose does it work?

output alert_syslog_full: sensor_name XXXX, local ?

Also in your test examples I have seen that you try to log
with LOG_LOCAL1.

You need to use the log_facility directive before LOG_LOCAL1

output alert_syslog_full: sensor_name XXXXXXX, server XXX.XXX.XXX.XXX,
log_facility LOG_LOCAL1


See output plugin directives in barnyard2.conf

# syslog_full
#-------------------------------
# Available as both a log and alert output plugin.  Used to output
data via TCP/UDP or LOCAL ie(syslog())
# Arguments:
#      sensor_name $sensor_name         - unique sensor name
#      server $server                   - server the device will report to
#      local                            - if defined, ignore all
remote information and use syslog() to send message.
#      protocol $protocol               - protocol device will report
over (tcp/udp)
#      port $port                       - destination port device will
report to (default: 514)
#      delimiters $delimiters           - define a character that will
delimit message sections ex:  "|", will use | as message section
delimiters. (default: |)
#      separators $separators           - define field separator
included in each message ex: " " ,  will use space as field separator.
            (default: [:space:])
#      operation_mode $operaion_mode    - default | complete : default
mode is compatible with default snort syslog message, complete prints
more information such as the raw packet (hexed)
#      log_priority   $log_priority     - used by local option for
syslog priority call. (man syslog(3) for supported options) (default:
LOG_INFO)
#      log_facility  $log_facility      - used by local option for
syslog facility call. (man syslog(3) for supported options) (default:
LOG_USER)
#      payload_encoding                 - (default: hex)  support hex
or ascii for log_syslog_full only.

-elz




More information about the Snort-users mailing list