Re: Barnyard Not Outputting to Syslog

["Jefferson, Shawn" <Shawn.Jefferson () bcferries com>]

I suggest you go to Barnyard2, it is currently supported and being developed.

I had a similar setup once (I'm now using Barnyard2), and I believe you actually have to run two instances of barnyard, 
since barnyard doesn't seem to be able to send alerts to two different locations (that's my recollection anyway, as I 
said, now I'm using Barnyard2, and it definitely will do what you want.)



-----Original Message-----
From: infosec posts [mailto:infosec.posts () gmail com] 
Sent: Thursday, February 04, 2010 8:07 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Barnyard Not Outputting to Syslog

I have a snort/barnyard implementation that has been sending alerts to
a remote mysql instance since its inception.  Now, I would like to
also have barnyard send alerts to syslog.  I've reviewed the setup
guides at snort.org and what documenation or pointers I can find via
google, but I haven't come up with any information that is helping me
to correct the issue.

When I enable the syslog output directly in the snort conf, with the
same string I'm using in the barnyard.conf, I get syslog entries
as/where expected, so my local syslog is working fine.  I've tried the
configuration below, using alert_syslog with a remote syslog server,
and also using barnyard's alert_syslog2 plugin both locally and
remotely, but barnyard just doesn't seem to fire anything off to
syslog (when using alert_syslog2, tcpdump on the snort box shows no
traffic attempting to go to the remote machine).  I have continued to
receive events to the remote mysql instance in all of these syslog
test configurations.

====barnyard.conf====
output alert_syslog: LOG_LOCAL4 LOG_ALERT

====snort.conf====
output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.log, limit 128

====syslog.conf====
#test section for snort
local4.*                                                /var/log/snort-sl-log

====barnyard run string====
 /usr/local/bin/barnyard -c /etc/snort/barnyard.conf -d /var/log/snort
-w /etc/snort/waldo2 -f snort.log


I'm probably missing something minor/obvious, but I'm stumped, so I'd
appreciate any assistance.

Thanks.

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users