Re: alert_syslog plugin problem

[James Nonya <slave_tothe_box () yahoo com>]

On Mon, 26 Jan 2004 12:07:39 +0100 (CET)
"Gema de Toro Sánchez" <detorosanchez () yahoo es> wrote:

> Hi!
>
> I don't know why alert_syslog plugin doesn't work. I
don't find any "/var/log/snort/alert" file. The
configuration of snort output plugins seems like this:
>
####################################################################
> # Step #3: Configure output plugins
>
> #
>
> # Uncomment and configure the output plugins you
decide to use.
> # General configuration for output plugins is of the
form:
> #
>
> # output <name_of_plugin>: <configuration_options>
>
> #
>
> # alert_syslog: log alerts to syslog
>
> # ----------------------------------
>
> # Use one or more syslog facilities as arguments.
Win32 can also
> # optionally specify a particular hostname/port.
Under Win32, the
> # default hostname is '127.0.0.1', and the default
port is 514.
> #
>
> # [Unix flavours should use this format...]
>
> output alert_syslog: LOG_AUTH LOG_ALERT
>
> #
>
> # [Win32 can use any of these formats...]
>
> # output alert_syslog: LOG_AUTH LOG_ALERT
>
> # output alert_syslog: host=hostname, LOG_AUTH
LOG_ALERT
> # output alert_syslog: host=hostname:port, LOG_AUTH
LOG_ALERT
> # log_tcpdump: log packets in binary tcpdump format
>
> # -------------------------------------------------
>
> # The only argument is the output file name.
>
> #
>
> #output log_tcpdump: tcpdump.log
>
> # database: log to a variety of databases
>
> # ---------------------------------------
>
> # See the README.database file for more information
about configuring
> # and using this plugin.
>
> #
>
> #output database: log, mysql, user=snort
password=duende dbname=snort host=localhost
> # output database: alert, postgresql, user=snort
dbname=snort
> # output database: log, unixodbc, user=snort
dbname=snort
> # output database: log, mssql, dbname=snort
user=snort password=test
> # unified: Snort unified binary format alerting and
logging
> #
-------------------------------------------------------------
> # The unified output plugin provides two new formats
for logging
> # and generating alerts from Snort, the "unified"
format. The
> # unified format is a straight binary format for
logging data 
> # out of Snort that is designed to be fast and
efficient. Used
> # with barnyard (the new alert/log processor), most
of the overhead
> # for logging and alerting to various slow storage
mechanisms
> # such as databases or the network can now be
avoided. 
> #
>
> # Check out the spo_unified.h file for the data
formats.
> #
>
> # Two arguments are supported.
>
> # filename - base filename to write to (current
time_t is appended)
> # limit - maximum size of spool file in MB (default:
128)
> #
>
> output alert_unified: filename snort.alert, limit
258
> output log_unified: filename snort.unified.log,
limit 256
> # You can optionally define new rule types and
associate one or 
> # more output plugins specifically to that type.
>
> #
>
> # This example will create a type that will log to
just tcpdump.
> # ruletype suspicious
>
> # {
>
> # type log
>
> # output log_tcpdump: suspicious.log
>
> # }
>
> #
>
> # EXAMPLE RULE FOR SUSPICIOUS RULETYPE:
>
> # suspicious $HOME_NET any -> $HOME_NET 6667
(msg:"Internal IRC Server";)
> #
>
> # This example will create a rule type that will log
to syslog
> # and a mysql database.
>
> #ruletype redalert
>
> # {
>
> # type alert
>
> # output alert_syslog: LOG_AUTH LOG_ALERT
>
> # output database: log, mysql, user=snort
password=duende dbname=snort host=localhost
> # }
>
> #
>
> # EXAMPLE RULE FOR REDALERT RULETYPE
>
> # redalert tcp $HOME_NET any -> $EXTERNAL_NET 31337
\
> # (msg:"Someone is being LEET"; flags:A+;)
>
> #
>
> # Include classification & priority settings
>
> #
>
> include classification.config
>
> #
>
> # Include reference systems
>
> #
>
> include reference.config
#############################################################
>    
>
>      Output log_unified and alert_unified plugins
are enabled because I've also tried to get the log
file "/var/log/snort/alert" using Barnyard. I can get
log_unified and alert_unified files but alert_syslog
file doesn't appear again. Barnyard.conf is like this:
> config hostname: snorthost
>
> config interface: eth0
>
> config filter: not port 22
>
> processor dp_alert
>
> processor dp_log
>
> processor dp_stream_stat
>
> output alert_fast
>
> output log_dump
>
> output alert_syslog: LOG_AUTH LOG_ALERT 
>
> output log_acid_db: mysql, sensor_id 1, database
snort, server localhost, user snort, password duende,
detail full
> Does anybody know what I'm doing wrong. Please, I
need help. Thank you!!
> Gema

Look at where your syslog is (normally
/var/log/messages).

James


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
http://webhosting.yahoo.com/ps/sb/


-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users