Re: Remote syslog server using snort.conf

[Frank Knobbe <fknobbe () knobbeits com>]

On Sat, 2002-08-24 at 22:48, Wayne T Work wrote:
> Try uncommenting these lines is the conf and fill in the data for SYSlog 
> and MySQL


That only works for non-Windows systems. Under Windows, if you want to
log to a remote syslog server (using -s in the command line) *and*
output's configured in snort.conf, you have to hack the source code and
recompile.

Specifically, in snort.c, within ParseCmdLine, you find the section:

            case 's':  /* log alerts to syslog */
                pv.syslog_flag = 1;
                DebugMessage(DEBUG_INIT, "Logging alerts to syslog\n");
                /* command line alerting option has been specified, 
                 * override the alert options in the config file
                 */ 
                pv.alert_cmd_override = 1;
#ifdef WIN32
                pv.syslog_remote_flag = 1;
                toks = mSplit(optarg, ":", 2, &num_toks, 0);
                strncpy(pv.syslog_server, toks[0], STD_BUF-1);
                pv.syslog_server_port = (num_toks == 1) ? 514 :
atoi(toks[1]);
                DebugMessage(DEBUG_INIT, "Logging alerts to syslog
server %s on port %d\n",
                                         pv.syslog_server,
pv.syslog_server_port);
#endif
                break;


Since command line args override the snort.conf, the '
pv.alert_cmd_override = 1;' is set. However, under Windows you need to
specify the -s option to tell the system what syslog server to log to.
So, if you want to use '-s', but also want to go through the snort.conf,
just set pv.alert_cmd_override to 0.

Recompile and your good to go.


Since this question pops up repeatedly, I wonder if it wouldn't make
send to set that flag to 0 by default for the Win32 users...

Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part