[Snort-users] Snort alerts to a remote syslog server

Kurzawa, Kevin kkurzawa at ...16800...
Thu Jun 19 09:14:16 EDT 2014


I currently use syslog-ng and send that info to a splunk server. Little difference.

I tell syslog on the snort machine to watch the alerts file and send the info to an IP:port specification. Shazam.

My additions to the  syslog-ng.conf are as follows:

source s_ids {
   file("/var/log/snort/alerts");
};

destination d_splunk {
   upd("server-name" port(1bajillion));
};

log {
   source(s_ids);
   destination(d_splunk);
};

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140619/8ceb6e34/attachment.html>


More information about the Snort-users mailing list