Re: [snort-users] alert_syslog and remote syslogs: win32 only?

[Frank Knobbe <frank () knobbe us>]

On Mon, 2009-08-17 at 10:09 -0400, gravyface wrote:

> Not quite I understand the reasoning behind forcing *nix to write to
> the local syslog only: 

'cause that's the way syslog normally works. It's just a system call to
the log function. The application (Snort in this case) doesn't assemble
packets. It just calls a "log" function. The syslog daemon does the
rest.

> it seems a bit cleaner to allow local or remote
> from within Snort, depending on the config value, with a default of
> remote if Win32 vs. local for *nix in the config. No need for any
> filtering/syslog-ng that way.

In Windows the only way to do syslog is to assemble the packet and put
it on the wire. That's the only reason there is an option for a remote
server.

It's actually nicer to have the *nix syslog daemon send the message. For
one, it's less work for Snort, less CPU cycles for logging, and Snort
can allocate more CPU for what it's intended to do, analyze packets.

The other reason is that, once the "log" call has been made, and Snort
is done, the syslog daemon can filter the data if desired, and send to
as many remote machines as you configure, without burdening Snort. 


Cheers,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users