Snort mailing list archives
Re: Issues with remote syslog and snort.conf
From: Y M <snort () outlook com>
Date: Sat, 26 Jul 2014 19:13:27 +0000
Correction: "...our syslog server did NOT like..." Sorry for the noise. From: snort () outlook com To: jlay () slave-tothe-box net CC: snort-users () lists sourceforge net Subject: RE: [Snort-users] Issues with remote syslog and snort.conf Date: Sat, 26 Jul 2014 19:10:49 +0000 Hi James, Currently we use this method for remote syslog. We also have the same warning but it still works. On another post (On Wed, Jul 2, 2014), someone said "Sending syslog messages directly from Snort is like ages old and deprecated". I did not see the announcement of it being deprecated, however, we use it and it still works. The reason we are still using it instead of Barnyard2 is that our syslog server did like either syslog message formats sent from Barnyard2.
From the below examples you have, we use this one:
output alert_syslog: host=192.168.1.1:514, LOG_AUTH LOG_ALERT The only difference is that we defined LOCAL7 instead of LOG_AUTH for Snort. YMFrom: jlay () slave-tothe-box net To: snort-users () lists sourceforge net Date: Sat, 26 Jul 2014 12:31:53 -0600 Subject: [Snort-users] Issues with remote syslog and snort.conf
From the docs:
2.6.1.3 Example output alert_syslog: host=10.1.1.1:514, <facility> <priority> <options> I have not been successful in getting this to work with either: output alert_syslog: host=192.168.1.1:514, LOG_AUTH LOG_ALERT output alert_syslog: LOG_AUTH LOG_ALERT host=192.168.1.253:514 both get me: WARNING: snort.conf (171) => Unrecognized syslog facility/priority: host=192.168.1.1:514 Is there something I'm missing to get this to go? I know barnyard can do this, but I'm not wanting to go down that path yet. Thank you. James ------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Issues with remote syslog and snort.conf James Lay (Jul 26)
- Re: Issues with remote syslog and snort.conf Y M (Jul 26)
- Re: Issues with remote syslog and snort.conf Y M (Jul 26)
- Re: Issues with remote syslog and snort.conf James Lay (Jul 26)
- Re: Issues with remote syslog and snort.conf Stephen Gantz (Jul 26)
- Re: Issues with remote syslog and snort.conf James Lay (Jul 26)
- Re: Issues with remote syslog and snort.conf Y M (Jul 26)
- Re: Issues with remote syslog and snort.conf James Lay (Jul 26)
- Re: Issues with remote syslog and snort.conf Y M (Jul 26)