[Snort-users] Barnyard2, Syslog and formatting.

Miller, Mike Mike.J.Miller at ...16867...
Mon May 18 09:50:09 EDT 2015

I¹m going through and modernizing our IDS fleet and am running into the
following problem:

The part that works:
The first screenshot, is the production server, it's syslogging using
rsyslog to an RSA SIEM. The RSA sees, parses, and is happy with it. It¹s
using Snort to post to local syslog without Barnyard, the syslog daemon
then forwards it to the SIEM.

rsyslog.conf line is just *.*, and the snort.conf output line
looks like: 

output alert_syslog: log_local7 log_alert


The part that doesn't:
The second grab is the test server, on the same segment, and it's using
barnyard2 to send syslog directly to the same server....it's output looks
like this: 


the configs for barnyard2 look like:

output alert_syslog: host=, LOG_AUTH LOG_ALERT

The SIEM receives the traffic, but it doesn't know how to parse it,
because it doesn't appear like the syslog format it expects. (I suspect
because it¹s missing Facility and Severity)

Any idea what I'm missing?

More information about the Snort-users mailing list