Snort mailing list archives
Re: Best practice for logging alerts to syslog
From: Tony Robinson <deusexmachina667 () gmail com>
Date: Mon, 17 Dec 2012 18:25:52 -0500
I was really learning towards that, since the purpose of by2 is to offload output formatting to begin with, but this really confirms it. Thanks, DA On Mon, Dec 17, 2012 at 10:03 AM, Joel Esler <jesler () sourcefire com> wrote:
On Dec 15, 2012, at 10:11 PM, Tony Robinson <deusexmachina667 () gmail com> wrote: Wanted to ask a question regarding what is best practice for snort to log alerts to syslog -- is it the better practice to have snort itself, via snort.conf handle this, or should barnyard2 be installed, snort configured to log to unified 2 and barnyard 2 handle logging to syslog? I'm asking because the next thing I'd like to do for autosnort is offer a configuration option to log to syslog (for SIEM integration to something like splunk, graylog2, etc.) if the user wasn't interested in a web front-end and wanted to know what the accepted/best practice was here. I'd personally prefer to have Snort output to unified2 and have barnyard2 deal with it. Allows for much more than just syslog in that case. You know, in case Snort dies or something, at least the logs are there for backup. Just my *druthers*. -- *Joel Esler* Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
-- when does reality end? when does fantasy begin?
------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Best practice for logging alerts to syslog Tony Robinson (Dec 15)
- Re: Best practice for logging alerts to syslog Joel Esler (Dec 17)
- Re: Best practice for logging alerts to syslog Tony Robinson (Dec 17)
- Re: Best practice for logging alerts to syslog Jason Haar (Dec 17)
- Re: Best practice for logging alerts to syslog Joel Esler (Dec 17)