Re: Remote Syslog...

[Erek Adams <erek () snort org>]

On Mon, 6 Oct 2003, Mike Koponick wrote:

> I have been trying to configure snort to log to a remote syslog server.

[...snip...]

> I'm using 2.0 Snort on Linux 9.0.

*bzzzttt*

No such animal as "Linux 9.0".  Linux is currently at 2.4.x kernel level.
Various distro's have naming schemes that might fit the 9.0 statement.
Yes, it seems minor, but it's really not--It really helps to know exactly
what you're dealing with while troubleshooting.  Perhaps you meant "RedHat
9.0"?

> Syslog.conf:
> auth.alert                                              @console

You really need to read the man page for syslog.conf.  Here's a snippet
from my OpenBSD box that might shed some light on that for you:

 # Everybody gets emergency messages, plus log them on another
 # machine.
 *.emerg                                                 *
 *.emerg                                                 @arpa.berkeley.edu

So to adapt that to you:

 auth.alert                                             @some.other.host

And then you'll need to change some.other.host's syslog.conf so that it
will send those alerts to console.

>        /usr/local/bin/snort -o -z -i eth1 -d -D -c \
> /etc/snort/snort.conf -I -A full -s console:514

*bzzzt*

Snort does not take any options for Syslog output.  It logs to a local
syslog daemon, and that daemon sends it onto a remote one.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users