Snort mailing list archives
Re: snort logging both to syslog and unified2
From: "Tudor Panaitescu" <TPanaitescu () colorcon com>
Date: Wed, 19 Jan 2011 19:57:56 -0500
Thanks for the reply. I wish it were that simple ... :-) I have already
syslog working just fine, please read below on the conditions snort doesn't
log properly
Thanks,
Tudor
From: "Gibson, Nathan J. (HSC)" <Nathan-Gibson () ouhsc edu>
To: Tudor Panaitescu <TPanaitescu () colorcon com>,
"snort-users () lists sourceforge net"
<snort-users () lists sourceforge net>
Date: 01/19/2011 05:41 PM
Subject: Re: [Snort-users] snort logging both to syslog and unified2
Vi /etc/syslog.conf
Local0.* @1.1.1.1 <replace this 1.1.1.1. with your syslog server IP>
Service syslog restart
From: Tudor Panaitescu [mailto:TPanaitescu () colorcon com]
Sent: Wednesday, January 19, 2011 3:47 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] snort logging both to syslog and unified2
Hi
I was trying to enable logging on snort together w/ barnyard2 w/ unified2
and it looks like something is not working properly when trying to have
both logging alerts to syslog and also via barnyard2. It also looks like
the syslog output plugin of barnyard2 (version 1.9) doesn't seem to be
working at all but this is another part of the story
1. Right now I have snort running + the good old barnyard and the settings
in snort.conf for logging are:
output log_unified: filename snort-unified.log, limit 128
output alert_syslog: LOG_LOCAL0 LOG_ALERT
output unified2: filename snort.log, limit 128
and the run options are: -A fast -d -D -i eth1 -u root -g snort
-c /etc/snort/snort.conf -l /var/log/snort
in this scenario unified works, syslog works but unified2 doesn't work (no
updates in the unified2 log file)
2. snort conf:
output alert_syslog: LOG_LOCAL0 LOG_ALERT
output unified2: filename snort.log, limit 128
run options: -A fast -d -D -i eth1 -u root -g snort
-c /etc/snort/snort.conf -l /var/log/snort
in this scenario both unified2 and syslog seem to be working fine. However,
barnyard2 doesn't seem to be able to process anything, nothing shows up in
base.
3. snort conf:
output alert_syslog: LOG_LOCAL0 LOG_ALERT
output unified2: filename snort.log, limit 128
run options: -d -D -i eth1 -u root -g snort -c /etc/snort/snort.conf
-l /var/log/snort
unified2 seems to be working OK but syslog is broken; barnyard2 sends data
to base but nothing shows up in the syslog
Any ideas anyone ?
Thanks in advance
Tudor
----------------------
Colorcon - Your Formulation Partner
Visit us at http://www.colorcon.com
Colorcon is committed to energy conservation and to the reduction of waste.
Please consider the environment before you print this e-mail.
"This e-mail may contain information that is confidential or privileged.
If you are not the intended recipient, do not use, print or distribute this
e-mail or any attachments. Please notify the sender and delete the e-mail
and any attachments. Thank you."
------------------------------------------------------------------------------
Protect Your Site and Customers from Malware Attacks
Learn about various malware tactics and how to avoid them. Understand
malware threats, the impact they can have on your business, and how you
can protect your company and customers by using code signing.
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
----------------------
Colorcon - Your Formulation Partner
Visit us at http://www.colorcon.com
Colorcon is committed to energy conservation and to the reduction of waste. Please consider the environment before you
print this e-mail.
"This e-mail may contain information that is confidential or privileged.
If you are not the intended recipient, do not use, print or distribute this e-mail or any attachments. Please notify
the sender and delete the e-mail and any attachments. Thank you."------------------------------------------------------------------------------ Protect Your Site and Customers from Malware Attacks Learn about various malware tactics and how to avoid them. Understand malware threats, the impact they can have on your business, and how you can protect your company and customers by using code signing. http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort logging both to syslog and unified2 Tudor Panaitescu (Jan 19)
- Re: snort logging both to syslog and unified2 Gibson, Nathan J. (HSC) (Jan 19)
- Re: snort logging both to syslog and unified2 Gibson, Nathan J. (HSC) (Jan 19)
- Re: snort logging both to syslog and unified2 Tudor Panaitescu (Jan 19)
- Re: snort logging both to syslog and unified2 Jefferson, Shawn (Jan 19)
- Re: snort logging both to syslog and unified2 Tudor Panaitescu (Jan 19)
- Re: snort logging both to syslog and unified2 Randal T. Rioux (Jan 19)
- Re: snort logging both to syslog and unified2 Tudor Panaitescu (Jan 19)
- Re: snort logging both to syslog and unified2 beenph (Jan 19)
- Re: snort logging both to syslog and unified2 Tudor Panaitescu (Jan 19)
- Re: snort logging both to syslog and unified2 Gibson, Nathan J. (HSC) (Jan 19)