Re: Best practice for logging alerts to syslog

[Joel Esler <jesler () sourcefire com>]

On Dec 15, 2012, at 10:11 PM, Tony Robinson <deusexmachina667 () gmail com> wrote:

> Wanted to ask a question regarding what is best practice for snort to log alerts to syslog -- is it the better 
> practice to have snort itself, via snort.conf handle this, or should barnyard2 be installed, snort configured to log 
> to unified 2 and barnyard 2 handle logging to syslog? I'm asking because the next thing I'd like to do for autosnort 
> is offer a configuration option to log to syslog (for SIEM integration to something like splunk, graylog2, etc.) if 
> the user wasn't interested in a web front-end and wanted to know what the accepted/best practice was here.

I'd personally prefer to have Snort output to unified2 and have barnyard2 deal with it.

Allows for much more than just syslog in that case.  You know, in case Snort dies or something, at least the logs are 
there for backup.

Just my druthers.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!