Snort mailing list archives

Re: Remote syslogging with multiple interfaces

From: Kevin Ponds <kponds () gmail com>
Date: Mon, 8 Aug 2005 14:55:25 -0500

Thanks for the help all, assumed that letting snort do it was the
preferred way, but I'll do it with syslog.


Thanks,

Kevin

On 8/8/05, Matt Kettler <mkettler () evi-inc com> wrote:

Kevin Ponds wrote:

Hi all,

I have two interfaces on my sensors - a dedicated sniffing interface
and a dedicated management interface.  The sniffing interfaces cannot
talk on the network.

I'd like to send syslog events to a remote management machine.
However, snort is running on the sniff interface (eth1), and I believe
it's trying to send the syslog stuff out that interface.  This doesn't
work.   Is there any way to get snort to sniff on one interface and
send syslog events on another?

I'm using:

output alert_syslog: host=192.168.40.104:514, LOG_AUTH LOG_ALERT


Rather than get snort to do the redirection, why not have snort log to the local
syslogd (via normal unix sockets instead of IP sockets) and have syslog.conf
redirect the messages to a separate box?

(syslogd can do this easily.. instead of specifying an output file for the
messages you specify @192.168.40.104)

IMO this really the way it should be done anyway. Centralized logging control is
much more flexible than per-application logging control.

You also get the option of logging a duplicate copy locally, should you desire
to do so.



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Remote syslogging with multiple interfaces Kevin Ponds (Aug 08)
- RE: Remote syslogging with multiple interfaces Charles Heselton (Aug 09)
- Re: Remote syslogging with multiple interfaces Matt Kettler (Aug 09)
  - Re: Remote syslogging with multiple interfaces Kevin Ponds (Aug 09)
- <Possible follow-ups>
- RE: Remote syslogging with multiple interfaces John Hally (Aug 09)
- RE: Remote syslogging with multiple interfaces Joshua Berry (Aug 09)