Snort mailing list archives
Snort behavior
From: "Slighter, Tim" <tslighter () itc nrcs usda gov>
Date: Tue, 8 Apr 2003 11:48:51 -0600
I have been conducting some regression tests on earlier releases of snort and have witnessed the erratic results with the syslog plugin. With 1.8.7: output alert_syslog: LOG_LOCAL5 snort -i eth0 -T works just fine without errors However, regardless of what is specified as the facility, the output ALWAYS goes to *.info, so perhaps a local5.info would be the appropriate entry in syslog.conf rather than local5.* ??? With 1.9.0: output alert_syslog: LOG_LOCAL5 snort -i eth0 -T does not work and generates an error about an unrecognized output plugin alert_syslog This build does not appear to work with the alert_syslog Workaround might be to use the -s instead ?? With 1.9.1: Same behavior as 1.9.0....does not work Results from 2.0 RC4: output alert_syslog: LOG_LOCAL5 snort -i eth0 -T appears to work fine with no errors same behavior with *.info, local5.info might be a better workaround in syslog.conf For those of you out there wishing to use syslog output and wish to forward those alerts over to another host.....don't forget that the centralized syslog repository needs to be configured to receive network syslogs (/etc/sysconfig/syslog needs the -r) and pretty certain that the sending host needs to be configured to forward syslogs (/etc/sysconfig/syslog needs the -h) End of boring email......
Current thread:
- Snort behavior Slighter, Tim (Apr 08)