[Snort-users] Snort+ and logging

Andy Swartzbaugh andy.swartzbaugh at gmail.com
Thu Sep 20 12:48:07 EDT 2018


1)  My understanding is that Barnyard was a remedy to cope with Snort2's
single-processor (i.e., not multi-processing) design and that Snort3 should
be able to handle logging without needing another process to handle the
logging.

2) from
www.snort.org/downloads/snortplus/snort_manual.html#_sniffing_and_logging :

snort --pcap-dir /path/to/pcap/dir --pcap-filter '*.pcap' -L dump -l
/path/to/log/dir

from www.snort.org/downloads/snortplus/snort_manual.html#_alert_syslog :

This must be done in snort.lua as opposed to the command line:

alert_syslog =
{
        facility = local3,
        level = info,

}

If you wanted to send the logs to another server, that would be handled
within rsyslogd (I use Ubuntu).  Create a file named
"/etc/rsyslog.d/10-snort.conf" : (the lower the number, the higher the
priority) :

and put the following line in it:

local3.* @loghost





On Thu, Sep 20, 2018 at 8:52 AM Meridoff via Snort-users <
snort-users at lists.snort.org> wrote:

> Hello, I've heared that barnyard2 is out of date for snort3.
> Though it can be used .
>
> 1. What are the alternative (to barnyard2) ways for logging snort3 alerts
> to remote data-bases or remote syslog etc ? May be it will be included in
> snort3 project in future?
>
> 2.Small question - snort3 itself writes its own log to syslog (-M option).
> What are the ways to specifiy internal daemon logging  methods : to file or
> syslog LEVEL ot smth orher ? I found nothing concering this  in config
>
> Thanks for response
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.snort.org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
>         To unsubscribe, send an email to:
>         snort-users-leave at lists.snort.org
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
> Please follow these rules:
> https://snort.org/faq/what-is-the-mailing-list-etiquette
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20180920/2d844854/attachment.html>


More information about the Snort-users mailing list