[Snort-users] Snort-users Digest, Vol 108, Issue 36
Mike.J.Miller at ...16867...
Wed May 20 14:21:40 EDT 2015
Yeah, I'm not finding any joy with that. Mostly because I'm using Security Onion, and it does things it wants to do with Syslog. It's really bizarre that I can't get Barnyard to output the severity and facility...that's a bog stock syslog format thing to do.
I'm scripting a small fleet of these things and altering a conf file to produce the right output is do-able, installing a second syslog facility on another port so it can filter to the right format doesn't seem like the right way to go about it.
Date: Mon, 18 May 2015 11:14:08 -0600
From: James Lay <jlay at ...13475...>
Subject: Re: [Snort-users] Barnyard2, Syslog and formatting.
To: snort-users at lists.sourceforge.net
Message-ID: <7ad3f42241215b9d8015a9594701306f at ...274...>
Content-Type: text/plain; charset=UTF-8; format=flowed
On 2015-05-18 07:50 AM, Miller, Mike wrote:
> I?m going through and modernizing our IDS fleet and am running into
> the following problem:
> The part that works:
> The first screenshot, is the production server, it's syslogging using
> rsyslog to an RSA SIEM. The RSA sees, parses, and is happy with it.
> using Snort to post to local syslog without Barnyard, the syslog
> daemon then forwards it to the SIEM.
> rsyslog.conf line is just *.* 10.242.3.230, and the snort.conf output
> line looks like:
> output alert_syslog: log_local7 log_alert
> The part that doesn't:
> The second grab is the test server, on the same segment, and it's
> barnyard2 to send syslog directly to the same server....it's output
> looks like this:
> the configs for barnyard2 look like:
> output alert_syslog: host=10.242.3.230, LOG_AUTH LOG_ALERT
> The SIEM receives the traffic, but it doesn't know how to parse it,
> because it doesn't appear like the syslog format it expects. (I
> suspect because it?s missing Facility and Severity)
> Any idea what I'm missing?
In setting up barnyard2 for logstash I found that I had to have logstash just set up as a generic UDP listener. From there barnyard2:
output alert_syslog_full: sensor_name external, server x.x.x.x, protocol udp, port 5514
That seems to work, but did require tweaking on the receiving end. Hope that helps.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 477 bytes
Desc: not available
More information about the Snort-users