Re: [snort-users] alert_syslog and remote syslogs: win32 only?

[Frank Knobbe <frank () knobbe us>]

On Fri, 2009-08-07 at 19:30 -0400, GravyFace wrote:
> snort -c /etc/snort/snort.conf -pDs -A fast -l /var/log/snort -i eth0
>
> snort.conf:
> ===========
> var RULE_PATH /etc/snort/rules/
> output alert_syslog: host=192.168.0.3, LOG_AUTH LOG_ALERT
> include $RULE_PATH/test.rules
> [...]

> The documentation seems to imply that this host:port parameter is for
> win32, but assumed it was -- as the docs mention -- because win32
> doesn't have syslog, but that it would still work under Linux.
>
> Am I wrong? If so, what's the recommended method of doing remote syslogging?


Oh, that brings back memories... since I had submitted the patch to
enable syslog under Win32 back in... 2001? 2000?

Anyway, yes, if you run *nix, then the syslog directive will cause the
packet to be written to the local syslog. If you want to send any
packets to another syslog server, you have to modify the syslog config
to enable forwarding of alerts.

I'm not sure what syslog daemon you use. I prefer syslog-ng which is
highly customizable, and can be configured to only forward Snort alerts
to a remote server.

Hope that helps,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users