[Snort-users] Snort-users Digest, Vol 108, Issue 36

Miller, Mike Mike.J.Miller at ...16867...
Wed May 20 14:21:40 EDT 2015


Yeah, I'm not finding any joy with that. Mostly because I'm using Security Onion, and it does things it wants to do with Syslog. It's really bizarre that I can't get Barnyard to output the severity and facility...that's a bog stock syslog format thing to do. 

I'm scripting a small fleet of these things and altering a conf file to produce the right output is do-able, installing a second syslog facility on another port so it can filter to the right format doesn't seem like the right way to go about it. 

-----Original Message-----
Message: 4
Date: Mon, 18 May 2015 11:14:08 -0600
From: James Lay <jlay at ...13475...>
Subject: Re: [Snort-users] Barnyard2, Syslog and formatting.
To: snort-users at lists.sourceforge.net
Message-ID: <7ad3f42241215b9d8015a9594701306f at ...274...>
Content-Type: text/plain; charset=UTF-8; format=flowed

On 2015-05-18 07:50 AM, Miller, Mike wrote:
> I?m going through and modernizing our IDS fleet and am running into 
> the following problem:
> 
> The part that works:
> ================
> The first screenshot, is the production server, it's syslogging using 
> rsyslog to an RSA SIEM. The RSA sees, parses, and is happy with it.
> It?s
> using Snort to post to local syslog without Barnyard, the syslog 
> daemon then forwards it to the SIEM.
> 
> rsyslog.conf line is just *.* 10.242.3.230, and the snort.conf output 
> line looks like:
> 
> output alert_syslog: log_local7 log_alert
> 
> http://imgur.com/ckhN3vr,wxu5OyH#0
> 
> 
> The part that doesn't:
> =================
> The second grab is the test server, on the same segment, and it's 
> using
> barnyard2 to send syslog directly to the same server....it's output 
> looks like this:
> 
> http://imgur.com/ckhN3vr,wxu5OyH#1
> 
> the configs for barnyard2 look like:
> 
> output alert_syslog: host=10.242.3.230, LOG_AUTH LOG_ALERT
> 
> 
> The SIEM receives the traffic, but it doesn't know how to parse it, 
> because it doesn't appear like the syslog format it expects. (I 
> suspect because it?s missing Facility and Severity)
> 
> Any idea what I'm missing?

Mike,

In setting up barnyard2 for logstash I found that I had to have logstash just set up as a generic UDP listener.  From there barnyard2:

output alert_syslog_full: sensor_name external, server x.x.x.x, protocol udp, port 5514

That seems to work, but did require tweaking on the receiving end.  Hope that helps.

James


-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 477 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150520/55a70dd8/attachment.sig>


More information about the Snort-users mailing list