[Snort-users] Barnyard2, Syslog and formatting.
Mike.J.Miller at ...16867...
Mon May 18 09:50:09 EDT 2015
I¹m going through and modernizing our IDS fleet and am running into the
The part that works:
The first screenshot, is the production server, it's syslogging using
rsyslog to an RSA SIEM. The RSA sees, parses, and is happy with it. It¹s
using Snort to post to local syslog without Barnyard, the syslog daemon
then forwards it to the SIEM.
rsyslog.conf line is just *.* 10.242.3.230, and the snort.conf output line
output alert_syslog: log_local7 log_alert
The part that doesn't:
The second grab is the test server, on the same segment, and it's using
barnyard2 to send syslog directly to the same server....it's output looks
the configs for barnyard2 look like:
output alert_syslog: host=10.242.3.230, LOG_AUTH LOG_ALERT
The SIEM receives the traffic, but it doesn't know how to parse it,
because it doesn't appear like the syslog format it expects. (I suspect
because it¹s missing Facility and Severity)
Any idea what I'm missing?
More information about the Snort-users