[Snort-users] Snort alerts to a remote syslog server

Stephen Gantz stephen.gantz at ...16854...
Thu Jun 19 09:29:50 EDT 2014

To get Snort to direct output to the syslog server, open the snort.conf file and edit the output plugin configuration for syslog in Step #6. By default it reads:
output alert_syslog: host=, LOG_AUTH LOG_ALERT

You just need to replace the localhost IP address with the address of your syslog server (and change the port if you aren't using the default 514).

I find when I run Snort with syslog that even with the snort.conf options configured correctly, I still have to add -s to my startup command to get the output to syslog properly. That's not the way the documentation says it works, but it has been my personal experience. 

Dr. Stephen D. Gantz
Associate Professor of Information Assurance
The Graduate School
University of Maryland University College
stephen.gantz at ...16854...

> On Jun 19, 2014, at 7:27 AM, Iliass Hakim <iliass61 at ...125...> wrote:
> Hi all,
> I have two machines :
> - snort server 
> - syslog server 
> I want to configure my server snort for it send alerts to syslog server.
> someone know how !!
> Cordialement 
> ---------------------------------------------------------
> HAKIM Iliass 
> Ingénieur  Réseaux & Télécommunication 
> Université Bretagne Occidentale 
> +33 6 40 24 39 16
> Merci de penser à l'environnement avant d'imprimer ce message.
> ------------------------------------------------------------------------------
> HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
> Find What Matters Most in Your Big Data with HPCC Systems
> Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
> Leverages Graph Analysis for Fast Processing & Easy Data Exploration
> http://p.sf.net/sfu/hpccsystems
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140619/b64e3be8/attachment.html>

More information about the Snort-users mailing list