Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Problems logging to syslog and mysql simultaneously

From: "Michael Steele" <michaels () silicondefense com>
Date: Wed, 19 Jun 2002 16:38:34 -0700
Don,

What I sent you works here. I can turn the Syslog option off/on by
removing or adding the lines to snort.conf. Are there any events in your
Syslog? What version of windows? Have you upgraded to the latest Service
Pack?

This is a strange problem, and more a system problem, then a Snort
problem. The -s switch only works on UNIX, as far as I know. The only
option is; what I sent you for sending alerts to the Syslog. It is a
very limited output of one line that is sent to Syslog when the plug-in
is turned on.

You will get more information from your management console (Acid,
Snortsnarf, IDS Center, or whatever you're using) then from this Syslog
alert entry.

Email alerting is what I'm looking for, but so far I have been unable to
find anything like Swatch that will monitor the Syslog and send out
alerts based on a pattern. This is useful if you are logging to Syslog,
but you are still only seeing a small part of the alert.

-Michael
--
 Michael Steele | System Engineer / Support Technician
 mailto:michaels () silicondefense com
 Silicon Defense: IDS solutions - http://www.silicondefense.com
 Snort: Open Source Network IDS - http://www.snort.org



-----Original Message-----
From: Don [mailto:Don () WeberOnTheWeb com] 
Sent: Wednesday, June 19, 2002 3:34 PM
To: Michael Steele
Subject: RE: [Snort-users] Problems logging to syslog and mysql
simultaneously

tried that, did that, just now again even, still nogo

Don


-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Michael
Steele
Sent: Wednesday, June 19, 2002 3:13 PM
To: dlpassport () s2access com
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Problems logging to syslog and mysql
simultaneously


Dallas,

Remove the -s switch and add these to your Snort.conf

output alert_syslog: LOG_AUTH LOG_ALERT
output alert_full

-Michael
--
 Michael Steele | System Engineer / Support Technician
 mailto:michaels () silicondefense com
 Silicon Defense: IDS solutions - http://www.silicondefense.com
 Snort: Open Source Network IDS - http://www.snort.org



-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of
dlpassport () s2access com
Sent: Wednesday, June 19, 2002 2:46 PM
To: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Problems logging to syslog and mysql
simultaneously

I'm still experiencing the same problem logging to a local syslog, even
with
the database logging disabled... it will only write there if i specify
the -s 127.0.0.1.  I've got a feeling I'm missing something obvious.
Any
suggestions?


Thanks,
DL


-----Original Message-----
From: Michael Steele [mailto:michaels () silicondefense com]
Sent: Wednesday, June 19, 2002 2:26 PM
To: dlpassport () s2access com
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Problems logging to syslog and mysql
simultaneously

Dallas,
You need to pickup a syslog server like Kiwi Syslog Server or a freeware
one:
Snip--Snip ->
For stability I would recommend 3com's free syslog server for Windowz
http://support.3com.com/software/utilities_for_windows_32_bit.htm <--
for a bunch of goodies
ftp://ftp.3com.com/pub/utilbin/win32/3CSyslog.zip <-- for the syslog
server
It runs great on 2K & XP
This one may work:
http://www.cls.de/Default.asp
works well but randomly inserts fixed string in syslog output in
the freeware version.
<--snip-->
Hello list. I am running Snort 1.8.7-mysql-win32 and am having the
following problem.
I would like to log to the local mysql database as well as a remote
syslog.

From all that I can find, the only way to log to a remote syslog is

with
a -s 1.1.1.1 option from the command line. When I specify this on the
command line, snort ignores my output database statement.
Is there anyway to specify a remote syslog server within snort.conf?
What
else could be causing this problem? I'd prefer not to log to a local
syslogd then forward.
Thanks,
Dallas LaRose
<--snip from snort.conf-->
output alert_syslog: LOG_AUTH LOG_ALERT
output database: log, mysql, user=snort password=blah dbname=snort
port=3306
host=localhost
<--snip-->
<--snip-->


------------------------------------------------------------------------
----
                   Bringing you mounds of caffeinated joy
                   >>>     http://thinkgeek.com/sf    <<<

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




------------------------------------------------------------------------
----
                   Bringing you mounds of caffeinated joy
                   >>>     http://thinkgeek.com/sf    <<<

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





----------------------------------------------------------------------------
                   Bringing you mounds of caffeinated joy
                   >>>     http://thinkgeek.com/sf    <<<

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: