Snort mailing list archives
Re: Snort alerts to a remote syslog server
From: Iliass Hakim <iliass61 () hotmail com>
Date: Thu, 19 Jun 2014 13:56:51 +0000
Thanks, but I have my syslog server configured my file rsyslog.conf $ModLoad imuxsock # provides support for local system logging$ModLoad imklog # provides kernel logging support (previously done by rklogd)#$ModLoad immark # provides --MARK-- message capability # provides UDP syslog reception$ModLoad imudp$UDPServerRun 514 # provides TCP syslog reception$ModLoad imtcp$InputTCPServerRun 1514 ############################### GLOBAL DIRECTIVES ############################### ## Use traditional timestamp format.# To enable high precision timestamps, comment out the following line.##$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # Filter duplicated messages$RepeatedMsgReduction off ## Set the default permissions for all log files.#$FileOwner syslog$FileGroup adm$FileCreateMode 0640$DirCreateMode 0755$Umask 0022$PrivDropToUser syslog$PrivDropToGroup syslog ## Where to place spool files#$WorkDirectory /var/spool/rsyslog ## Include all config files in /etc/rsyslog.d/#$IncludeConfig /etc/rsyslog.d/*.conf and in my file snort.conf i have add : output alert_syslog: host=@ syslog server:514, LOG_AUTH LOG_ALERT but its not working Cordialement --------------------------------------------------------- HAKIM Iliass Ingénieur Réseaux & Télécommunication Université Bretagne Occidentale +33 6 40 24 39 16 Merci de penser à l'environnement avant d'imprimer ce message. From: kkurzawa () co pinellas fl us To: snort-users () lists sourceforge net Date: Thu, 19 Jun 2014 09:14:16 -0400 Subject: Re: [Snort-users] Snort alerts to a remote syslog server I currently use syslog-ng and send that info to a splunk server. Little difference. I tell syslog on the snort machine to watch the alerts file and send the info to an IP:port specification. Shazam. My additions to the syslog-ng.conf are as follows: source s_ids { file(“/var/log/snort/alerts”);}; destination d_splunk { upd(“server-name” port(1bajillion));}; log { source(s_ids); destination(d_splunk);}; ------------------------------------------------------------------------------ HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions Find What Matters Most in Your Big Data with HPCC Systems Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. Leverages Graph Analysis for Fast Processing & Easy Data Exploration http://p.sf.net/sfu/hpccsystems _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions Find What Matters Most in Your Big Data with HPCC Systems Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. Leverages Graph Analysis for Fast Processing & Easy Data Exploration http://p.sf.net/sfu/hpccsystems
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort alerts to a remote syslog server Iliass Hakim (Jun 19)
- Re: Snort alerts to a remote syslog server Kurzawa, Kevin (Jun 19)
- Re: Snort alerts to a remote syslog server Iliass Hakim (Jun 19)
- Re: Snort alerts to a remote syslog server Stephen Gantz (Jun 19)
- Re: Snort alerts to a remote syslog server waldo kitty (Jun 19)
- Re: Snort alerts to a remote syslog server Kurzawa, Kevin (Jun 19)