Re: Issues with remote syslog and snort.conf

[James Lay <jlay () slave-tothe-box net>]

On Sat, 2014-07-26 at 19:10 +0000, Y M wrote:
> Hi James,
>
>
> Currently we use this method for remote syslog. We also have the same
> warning but it still works. On another post (On Wed, Jul 2, 2014),
> someone said "Sending syslog messages directly from Snort is like ages
> old and deprecated". I did not see the announcement of it being
> deprecated, however, we use it and it still works. The reason we are
> still using it instead of Barnyard2 is that our syslog server did like
> either syslog message formats sent from Barnyard2.
>
>
> From the below examples you have, we use this one:
>
>
> output alert_syslog: host=192.168.1.1:514, LOG_AUTH LOG_ALERT
>
>
> The only difference is that we defined LOCAL7 instead of LOG_AUTH for
> Snort.
>
>
> YM
>
> ______________________________________________________________________
> From: jlay () slave-tothe-box net
> To: snort-users () lists sourceforge net
> Date: Sat, 26 Jul 2014 12:31:53 -0600
> Subject: [Snort-users] Issues with remote syslog and snort.conf
>
> > From the docs: 
> 2.6.1.3 Example
>     output alert_syslog: host=10.1.1.1:514, <facility> <priority>
> <options>
>
> I have not been successful in getting this to work with either:
>
> output alert_syslog: host=192.168.1.1:514, LOG_AUTH LOG_ALERT
> output alert_syslog: LOG_AUTH LOG_ALERT host=192.168.1.253:514
>
> both get me:
> WARNING: snort.conf (171) => Unrecognized syslog facility/priority:
> host=192.168.1.1:514
>
> Is there something I'm missing to get this to go?  I know barnyard can
> do this, but I'm not wanting to go down that path yet.  Thank you.
>
> James 
>
> ------------------------------------------------------------------------------ Want fast and easy access to all the 
> code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the 
> same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. 
> http://p.sf.net/sfu/bds
> _______________________________________________ Snort-users mailing
> list Snort-users () lists sourceforge net Go to this URL to change user
> options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users
> list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
> ------------------------------------------------------------------------------
> Want fast and easy access to all the code in your enterprise? Index and
> search up to 200,000 lines of code with a free copy of Black Duck
> Code Sight - the same software that powers the world's largest code
> search on Ohloh, the Black Duck Open Hub! Try it now.
> http://p.sf.net/sfu/bds
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

Thanks YM...I'll give that a go.

James


------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!