Re: Issues with remote syslog and snort.conf

[Y M <snort () outlook com>]

Correction: "...our syslog server did NOT like..."
Sorry for the noise.

From: snort () outlook com
To: jlay () slave-tothe-box net
CC: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Issues with remote syslog and snort.conf
Date: Sat, 26 Jul 2014 19:10:49 +0000







Hi James,
Currently we use this method for remote syslog. We also have the same warning but it still works. On another post (On 
Wed, Jul 2, 2014), someone said "Sending syslog messages directly from Snort is like ages old and deprecated". I did 
not see the announcement of it being deprecated, however, we use it and it still works. The reason we are still using 
it instead of Barnyard2 is that our syslog server did like either syslog message formats sent from Barnyard2.
> From the below examples you have, we use this one:
output alert_syslog: host=192.168.1.1:514, LOG_AUTH LOG_ALERT
The only difference is that we defined LOCAL7 instead of LOG_AUTH for Snort.
YMFrom: jlay () slave-tothe-box net
To: snort-users () lists sourceforge net
Date: Sat, 26 Jul 2014 12:31:53 -0600
Subject: [Snort-users] Issues with remote syslog and snort.conf




  
  


> From the docs:

2.6.1.3 Example

    output alert_syslog: host=10.1.1.1:514, <facility> <priority> <options>



I have not been successful in getting this to work with either:



output alert_syslog: host=192.168.1.1:514, LOG_AUTH LOG_ALERT

output alert_syslog: LOG_AUTH LOG_ALERT host=192.168.1.253:514



both get me:

WARNING: snort.conf (171) => Unrecognized syslog facility/priority: host=192.168.1.1:514



Is there something I'm missing to get this to go?  I know barnyard can do this, but I'm not wanting to go down that 
path yet.  Thank you.



James




------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!