Re: Unrecognised syslog facility/priority in snort

["praveen_recker ." <praveen_recker () sify com>]

In snort.conf, stick to
output alert_syslog: host=172.20.54.213:514, LOG_AUTH LOG_ALERT

Are you able to see logs at *.*  /var/log/172.20.54.212/syslog
$AllowedSender TCP, 127.0.0.1, 172.0.0.0/24, 172.20.54.211
comment above line or add required IP's (I think it should be
172.20.25.0/24instead of
172.0.0.0/24)

Replace *"auth.alert                   @172.20.54.213.*" with "**.alert
              @172.20.54.213:514*"
Didn't find above line in config file.

> From 172.20.54.213 (snort) ping 172.20.54.213(syslog server) viceversa.
> From 172.20.54.213 (snort) nc 172.20.54.213(syslog server) on udp/514 port.

Best Regards,
Praveen Darshanam


On Sun, Oct 13, 2013 at 3:04 PM, Mayur Patil <ram.nath241089 () gmail com>wrote:

> Hi Praveen Sir,
>
>         Thanks for the reply.
>
> What ur Snort IP (as per my understanding it is also syslog Client), give
> > me IP's
>
>    Right. Snort is same as syslog client (*172.20.54.211*)
>
> *   Please Ignore any configurations related to IP 172.20.54.212 as it is
> other machine.*
>
>
> >  and
>
>
>
>
> > syslog server IP and conf's.
>    *syslog server IP: 172.20.54.213*
> *   *
>
> > Give me full conf file on all the machines involved.
> snort/syslog conf's
>
>
>    On Snort machine IP 172.20.54.211,
>    On location */etc/rsyslog.d/, * file rsyslog.conf.
>    Contents are
> *   auth.alert                   @172.20.54.213.*
> *
> *
>    I am attaching files as follows:
>
>   [1] rsyslog file for snort machine
>
>   [2] snort.conf
>
>   [3] rsyslog.conf for syslog server
> *
> *
>    Seeking for guidance,
>
>   Thanks !
> *
> *
> *--*
> *Cheers,*
> *Mayur *
>
>
>
> > Best Regards,
> > Praveen Darshanam
> >
> >
> > On Fri, Oct 11, 2013 at 4:40 PM, Mayur Patil <ram.nath241089 () gmail com>wrote:
> >
> > > Hi Praveen Sir,
> > >
> > >      The logs are now appearing in syslog.
> > >
> > >      What I have done :
> > >
> > >      I changed facility and priority as follows:
> > >
> > >     *  facility: Daemon     and       level: notice
> > >  *
> > >      in snort.conf as
> > >
> > >      output alert_syslog: host=172.20.54.213, LOG_DAEMON LOG_NOTICE
> > >
> > >      and logs are appearing in syslog of alert as follows:
> > >
> > >      http://fpaste.org/46064/
> > >
> > >      now I just want your help for getting messages at AUTH.ALERT level.
> > >
> > >      Seeking for guidance,
> > >
> > >      Thanks !!
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!