[Snort-users] Barnyard2, Syslog and formatting.
jlay at ...13475...
Mon May 18 13:14:08 EDT 2015
On 2015-05-18 07:50 AM, Miller, Mike wrote:
> I¹m going through and modernizing our IDS fleet and am running into the
> following problem:
> The part that works:
> The first screenshot, is the production server, it's syslogging using
> rsyslog to an RSA SIEM. The RSA sees, parses, and is happy with it.
> using Snort to post to local syslog without Barnyard, the syslog daemon
> then forwards it to the SIEM.
> rsyslog.conf line is just *.* 10.242.3.230, and the snort.conf output
> looks like:
> output alert_syslog: log_local7 log_alert
> The part that doesn't:
> The second grab is the test server, on the same segment, and it's using
> barnyard2 to send syslog directly to the same server....it's output
> like this:
> the configs for barnyard2 look like:
> output alert_syslog: host=10.242.3.230, LOG_AUTH LOG_ALERT
> The SIEM receives the traffic, but it doesn't know how to parse it,
> because it doesn't appear like the syslog format it expects. (I suspect
> because it¹s missing Facility and Severity)
> Any idea what I'm missing?
In setting up barnyard2 for logstash I found that I had to have logstash
just set up as a generic UDP listener. From there barnyard2:
output alert_syslog_full: sensor_name external, server x.x.x.x, protocol
udp, port 5514
That seems to work, but did require tweaking on the receiving end. Hope
More information about the Snort-users