Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Is it possible to change the output format for the alert_syslog module?

From: waldo kitty <wkitty42 () windstream net>
Date: Fri, 02 Aug 2013 07:47:55 -0400
On 8/2/2013 04:06, Niels van Eijck wrote:

Thank you Waldo for your reply, but that is notI  exactly what I'm looking for,
I do not want alert logging in two different places.


that's why i stated "use a different output module *OR* [...]" ;)


I want to log the alert with Syslog, with the message as CSV format.

For example, my Syslog log looks now something like this:

<169>1 2013-08-02T12:34:56.000000Z host snort  - -  [1:111111:1] Test Alert
{UDP} x.x.x.x:111 -> y.y.y.y:222

But what I want is this:

<169>1 2013-08-02T12:34:56.000000Z host snort  - -  1,111111,1,"Test
Alert",UDP,x.x.x.x,111,y.y.y.y,222


better dig out your compiler and figure out what's needed to write your own 
output module, then... the above is completely non-standard and there is no 
option to specify the message format in the syslog output... you get one or the 
other...

question: why would you want the format like that? it would be better, simpler 
and easier to process a CSV log file directly instead of having to mess around 
with trying to parse a syslog log... then you can send the data to syslog from 
your parser...

-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------------
Get your SQL database under version control now!
Version control is standard for application code, but databases havent 
caught up. So what steps can you take to put your SQL databases under 
version control? Why should you start doing it? Read more to find out.
http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: