[Snort-users] Barnyard2, Syslog and formatting.

James Lay jlay at ...13475...
Mon May 18 13:14:08 EDT 2015


On 2015-05-18 07:50 AM, Miller, Mike wrote:
> I¹m going through and modernizing our IDS fleet and am running into the
> following problem:
> 
> The part that works:
> ================
> The first screenshot, is the production server, it's syslogging using
> rsyslog to an RSA SIEM. The RSA sees, parses, and is happy with it. 
> It¹s
> using Snort to post to local syslog without Barnyard, the syslog daemon
> then forwards it to the SIEM.
> 
> rsyslog.conf line is just *.* 10.242.3.230, and the snort.conf output 
> line
> looks like:
> 
> output alert_syslog: log_local7 log_alert
> 
> http://imgur.com/ckhN3vr,wxu5OyH#0
> 
> 
> The part that doesn't:
> =================
> The second grab is the test server, on the same segment, and it's using
> barnyard2 to send syslog directly to the same server....it's output 
> looks
> like this:
> 
> http://imgur.com/ckhN3vr,wxu5OyH#1
> 
> the configs for barnyard2 look like:
> 
> output alert_syslog: host=10.242.3.230, LOG_AUTH LOG_ALERT
> 
> 
> The SIEM receives the traffic, but it doesn't know how to parse it,
> because it doesn't appear like the syslog format it expects. (I suspect
> because it¹s missing Facility and Severity)
> 
> Any idea what I'm missing?

Mike,

In setting up barnyard2 for logstash I found that I had to have logstash 
just set up as a generic UDP listener.  From there barnyard2:

output alert_syslog_full: sensor_name external, server x.x.x.x, protocol 
udp, port 5514

That seems to work, but did require tweaking on the receiving end.  Hope 
that helps.

James







More information about the Snort-users mailing list