Re: Snort-users Digest, Vol 45, Issue 10

[Willst Mail <willstmail () gmail com>]

In response to Shawn Jefferson re: barnyard2,
The questioner mentions he wants to log to a remote syslog as well as local.
 Except on Windows, barnyard2 does not support sending syslog to a remote
host but instead relies on logging locally and having the local syslog
server forward the message on barnyard2's behalf.

Speaking of which, might the original poster try configuring local syslog to
forward messages to the remote host at least as a troubleshooting step to
ensure communication in general works between the two hosts?

------------------------------
> Message: 3
> Date: Thu, 4 Feb 2010 09:54:02 -0700
> From: "Jefferson, Shawn" <Shawn.Jefferson () bcferries com>
> Subject: Re: [Snort-users] Barnyard Not Outputting to Syslog
> To: infosec posts <infosec.posts () gmail com>,
>        "snort-users () lists sourceforge net"
>        <snort-users () lists sourceforge net>
> Message-ID:
>
>  <D05BDFB6A6F4EE43ABE62D1A7170AF37128159E122 () HEXBCFMBVS01 exchange bcferries corp
> >
>
> Content-Type: text/plain; charset="us-ascii"
>
> I suggest you go to Barnyard2, it is currently supported and being
> developed.
>
> I had a similar setup once (I'm now using Barnyard2), and I believe you
> actually have to run two instances of barnyard, since barnyard doesn't seem
> to be able to send alerts to two different locations (that's my recollection
> anyway, as I said, now I'm using Barnyard2, and it definitely will do what
> you want.)
>
>
>
> -----Original Message-----
> From: infosec posts [mailto:infosec.posts () gmail com]
> Sent: Thursday, February 04, 2010 8:07 AM
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] Barnyard Not Outputting to Syslog
>
> I have a snort/barnyard implementation that has been sending alerts to
> a remote mysql instance since its inception.  Now, I would like to
> also have barnyard send alerts to syslog.  I've reviewed the setup
> guides at snort.org and what documenation or pointers I can find via
> google, but I haven't come up with any information that is helping me
> to correct the issue.
>
> When I enable the syslog output directly in the snort conf, with the
> same string I'm using in the barnyard.conf, I get syslog entries
> as/where expected, so my local syslog is working fine.  I've tried the
> configuration below, using alert_syslog with a remote syslog server,
> and also using barnyard's alert_syslog2 plugin both locally and
> remotely, but barnyard just doesn't seem to fire anything off to
> syslog (when using alert_syslog2, tcpdump on the snort box shows no
> traffic attempting to go to the remote machine).  I have continued to
> receive events to the remote mysql instance in all of these syslog
> test configurations.
>
> ====barnyard.conf====
> output alert_syslog: LOG_LOCAL4 LOG_ALERT
>
> ====snort.conf====
> output alert_unified: filename snort.alert, limit 128
> output log_unified: filename snort.log, limit 128
>
> ====syslog.conf====
> #test section for snort
> local4.*
>  /var/log/snort-sl-log
>
> ====barnyard run string====
>  /usr/local/bin/barnyard -c /etc/snort/barnyard.conf -d /var/log/snort
> -w /etc/snort/waldo2 -f snort.log
>
>
> I'm probably missing something minor/obvious, but I'm stumped, so I'd
> appreciate any assistance.
>
> Thanks.
------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users