Snort mailing list archives
Re: Send snort alerts via syslog to ArcSight
From: beenph <beenph () gmail com>
Date: Mon, 1 Oct 2012 17:22:19 -0400
On Mon, Oct 1, 2012 at 5:05 PM, Joel Esler <jesler () sourcefire com> wrote:
I believe (and that means I'm probably totally wrong about this), but I believe barnyard's syslog format differs slightly from the built in Snort format. Someone correct me if I wrong on that?
@joel 2-1.10 uses the same format if someone uses syslog_full output plugin. @Pablo download barnyard2 2-1.10 and configure the following output plugin: # syslog_full #------------------------------- # Available as both a log and alert output plugin. Used to output data via TCP/UDP or LOCAL ie(syslog()) # Arguments: # sensor_name $sensor_name - unique sensor name # server $server - server the device will report to # local - if defined, ignore all remote information and use syslog() to send message. # protocol $protocol - protocol device will report over (tcp/udp) # port $port - destination port device will report to (default: 514) # delimiters $delimiters - define a character that will delimit message sections ex: "|", will use | as message section delimiters. (default: |) # separators $separators - define field separator included in each message ex: " " , will use space as field separator. (default: [:space:]) # operation_mode $operaion_mode - default | complete : default mode is compatible with default snort syslog message, complete prints more information such as the raw packet (hexed) # log_priority $log_priority - used by local option for syslog priority call. (man syslog(3) for supported options) (default: LOG_INFO) # log_facility $log_facility - used by local option for syslog facility call. (man syslog(3) for supported options) (default: LOG_USER) # Usage Examples: # output alert_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode default # output alert_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode complete # output log_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode default # output log_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514, operation_mode complete # output alert_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514 # output log_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514 # output alert_syslog_full: sensor_name snortIds1-eth2, local # output log_syslog_full: sensor_name snortIds1-eth2, local, log_priority LOG_CRIT,log_facility LOG_CRON Just make sure that operation_mode is set to default and it should be like snort syslog output. -elz ------------------------------------------------------------------------------ Got visibility? Most devs has no idea what their production app looks like. Find out how fast your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219671;13503038;y? http://info.appdynamics.com/FreeJavaPerformanceDownload.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Send snort alerts via syslog to ArcSight Pablo Atiaga (Oct 01)
- Re: Send snort alerts via syslog to ArcSight Joel Esler (Oct 01)
- Re: Send snort alerts via syslog to ArcSight beenph (Oct 01)
- Re: Send snort alerts via syslog to ArcSight Joel Esler (Oct 01)