[Snort-users] Snort alerts to a remote syslog server

Stephen Gantz stephen.gantz at ...16854...
Thu Jun 19 09:29:50 EDT 2014


To get Snort to direct output to the syslog server, open the snort.conf file and edit the output plugin configuration for syslog in Step #6. By default it reads:
output alert_syslog: host=127.0.0.1:514, LOG_AUTH LOG_ALERT

You just need to replace the localhost IP address with the address of your syslog server (and change the port if you aren't using the default 514).

I find when I run Snort with syslog that even with the snort.conf options configured correctly, I still have to add -s to my startup command to get the output to syslog properly. That's not the way the documentation says it works, but it has been my personal experience. 

Dr. Stephen D. Gantz
CISSP-ISSAP, CEH, CGEIT, CRISC, CIPP/G, C|CISO
Associate Professor of Information Assurance
The Graduate School
University of Maryland University College
stephen.gantz at ...16854...

> On Jun 19, 2014, at 7:27 AM, Iliass Hakim <iliass61 at ...125...> wrote:
> 
> Hi all,
> 
> I have two machines :
> 
> - snort server 
> - syslog server 
> 
> I want to configure my server snort for it send alerts to syslog server.
> 
> someone know how !!
> 
> 
> Cordialement 
> ---------------------------------------------------------
> HAKIM Iliass 
> 
> Ingénieur  Réseaux & Télécommunication 
> 
> Université Bretagne Occidentale 
> 
> +33 6 40 24 39 16
> 
> 
> 
> Merci de penser à l'environnement avant d'imprimer ce message.
> ------------------------------------------------------------------------------
> HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
> Find What Matters Most in Your Big Data with HPCC Systems
> Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
> Leverages Graph Analysis for Fast Processing & Easy Data Exploration
> http://p.sf.net/sfu/hpccsystems
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140619/b64e3be8/attachment.html>


More information about the Snort-users mailing list