[Snort-users] Snort+ and logging

Meridoff oagvozd at gmail.com
Thu Sep 20 16:55:37 EDT 2018


чт, 20 сент. 2018 г. в 19:48, Andy Swartzbaugh <andy.swartzbaugh at gmail.com>:

> 1)  My understanding is that Barnyard was a remedy to cope with Snort2's
> single-processor (i.e., not multi-processing) design and that Snort3 should
> be able to handle logging without needing another process to handle the
> logging.
>
>
It is true. But Barny2 is able to send alerts to BD or remote syslog - it
is usefull..Snort3 now doesn't support it

2) from
> www.snort.org/downloads/snortplus/snort_manual.html#_sniffing_and_logging
> :
>
> snort --pcap-dir /path/to/pcap/dir --pcap-filter '*.pcap' -L dump -l
> /path/to/log/dir
>
> from www.snort.org/downloads/snortplus/snort_manual.html#_alert_syslog :
>
> This must be done in snort.lua as opposed to the command line:
>
> alert_syslog =
> {
>         facility = local3,
>         level = info,
>
> }
>
> It is true for alerts. But I've asked about snort process (daemon) log .
Nevertheless - thank you for info, it is usefull.


> If you wanted to send the logs to another server, that would be handled
> within rsyslogd (I use Ubuntu).  Create a file named
> "/etc/rsyslog.d/10-snort.conf" : (the lower the number, the higher the
> priority) :
>
> and put the following line in it:
>
> local3.* @loghost
>
>
>
>
>
> On Thu, Sep 20, 2018 at 8:52 AM Meridoff via Snort-users <
> snort-users at lists.snort.org> wrote:
>
>> Hello, I've heared that barnyard2 is out of date for snort3.
>> Though it can be used .
>>
>> 1. What are the alternative (to barnyard2) ways for logging snort3 alerts
>> to remote data-bases or remote syslog etc ? May be it will be included in
>> snort3 project in future?
>>
>> 2.Small question - snort3 itself writes its own log to syslog (-M
>> option). What are the ways to specifiy internal daemon logging  methods :
>> to file or syslog LEVEL ot smth orher ? I found nothing concering this  in
>> config
>>
>> Thanks for response
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.snort.org
>> Go to this URL to change user options or unsubscribe:
>> https://lists.snort.org/mailman/listinfo/snort-users
>>
>>         To unsubscribe, send an email to:
>>         snort-users-leave at lists.snort.org
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>> Please follow these rules:
>> https://snort.org/faq/what-is-the-mailing-list-etiquette
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20180920/bfea1376/attachment.html>


More information about the Snort-users mailing list