On 9/20/18 4:55 PM, Meridoff via Snort-users wrote:


чт, 20 сент. 2018 г. в 19:48, Andy Swartzbaugh <andy.swartzbaugh@gmail.com>:
1)  My understanding is that Barnyard was a remedy to cope with Snort2's single-processor (i.e., not multi-processing) design and that Snort3 should be able to handle logging without needing another process to handle the logging. 


It is true. But Barny2 is able to send alerts to BD or remote syslog - it is usefull..Snort3 now doesn't support it
Snort 3 can integrate with Barnyard 2 with this configuration:

    bool unified2.legacy_events = false: generate Snort 2.X style events for barnyard2 compatibility

The problem is that Snort 3 generates more and different data than BY2 can process.  An alternative is to use JSON and elastic stack or splunk.  See e.g. https://blog.snort.org/2017/11/snort-30-with-elasticsearch-logstash.html.

2) from www.snort.org/downloads/snortplus/snort_manual.html#_sniffing_and_logging :

snort --pcap-dir /path/to/pcap/dir --pcap-filter '*.pcap' -L dump -l /path/to/log/dir

from www.snort.org/downloads/snortplus/snort_manual.html#_alert_syslog :

This must be done in snort.lua as opposed to the command line:

alert_syslog =
{
        facility = local3,
        level = info,

}
Just to clarify, facility and level are strings so level = 'info' etc. (enums take string values):

$ snort --help-config alert_syslog
enum alert_syslog.facility = auth: part of priority applied to each message { auth | authpriv | daemon | user | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 }
enum alert_syslog.level = info: part of priority applied to each message { emerg | alert | crit | err | warning | notice | info | debug }
multi alert_syslog.options: used to open the syslog connection { cons | ndelay | perror | pid }


It is true for alerts. But I've asked about snort process (daemon) log . Nevertheless - thank you for info, it is usefull.
 
If you wanted to send the logs to another server, that would be handled within rsyslogd (I use Ubuntu).  Create a file named "/etc/rsyslog.d/10-snort.conf" : (the lower the number, the higher the priority) :

and put the following line in it:

local3.* @loghost





On Thu, Sep 20, 2018 at 8:52 AM Meridoff via Snort-users <snort-users@lists.snort.org> wrote:
Hello, I've heared that barnyard2 is out of date for snort3.
Though it can be used .

1. What are the alternative (to barnyard2) ways for logging snort3 alerts to remote data-bases or remote syslog etc ? May be it will be included in snort3 project in future?

2.Small question - snort3 itself writes its own log to syslog (-M option). What are the ways to specifiy internal daemon logging  methods : to file or syslog LEVEL ot smth orher ? I found nothing concering this  in config 

Thanks for response
_______________________________________________
Snort-users mailing list
Snort-users@lists.snort.org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave@lists.snort.org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette


_______________________________________________
Snort-users mailing list
Snort-users@lists.snort.org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

	To unsubscribe, send an email to:
	snort-users-leave@lists.snort.org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette