Snort mailing list archives
Re: Fwd: Unrecognised syslog facility/priority in snort
From: Peter Bates <peter.bates () ucl ac uk>
Date: Fri, 18 Oct 2013 09:56:07 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all Apologies for jumping in on this thread. On 18/10/2013 02:42, Mayur Patil wrote:
In snort.conf, stick tooutput alert_syslog: host=172.20.54.213:514, LOG_AUTH LOG_ALERT
*Also noticeable thing,* I observed on IP 172.20.54.213 from file /etc/rsyslog.d/50-default.conf auth,authpriv.* /var/log/auth.log is having recent entries of snort alerts are logging there whichever wireshark is showing and syslog is not logging.
This shows things are working - you are sending the alerts from Snort with a facility of log_auth. Just to point out - local0-local7 exist for application specific syslog alerts - 'auth' is and should be for authentication events. I have in /etc/rsyslog.d/50-default.conf: local1.* -/var/log/snort.log You also need local1.none on the line with /var/log/syslog otherwise you'll log everything twice. With the above, you'd then have output alert_syslog: host=172.20.54.213:514, LOG_LOCAL1 LOG_ALERT in your snort.conf. You might also want: $RepeatedMsgReduction off in /etc/rsyslog.conf if you want to distinguish properly between different events. - -- Peter Bates Senior Information Security Officer Phone: +44(0)2076792049 Information Services Division Internal Ext: 32049 University College London London WC1E 6BT -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJSYPenAAoJELhVoVpEMS6RxwsH/i3afl5cxugfeITpJiz/swFC RRcuLxtQEmB12QL3Tat95alRsCZ3G8CSRFNnpDTTPV0WAccg3bG86j0xo3wGGfju hdkvrWpoJ1G1+PXaybeeLB7t4adiVCs/h6MRvfGE3C5O3Gfg9xr8/1SJt7cdiMiV D9byyyDf8LpHdyaOdVxLOk5WRT8twMZKSfKm/RvQzEr0z3Gry2wWETD6hFqHXisg V1Hg8PH2+1BCpY6d6zYnLtaLY4tU00JJUNc2z/1Zo8v1ayc9xtE2I6bimdlGgQYy Ah7Y8tRWGGPaZH9sEN3H6wDjGewgcC6LdH/mktGVkPYhgbf1vfSPCGDDDa4EapY= =CaBW -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Unrecognised syslog facility/priority in snort, (continued)
- Re: Unrecognised syslog facility/priority in snort Mayur Patil (Oct 09)
- Re: Unrecognised syslog facility/priority in snort wkitty42 (Oct 09)
- Re: Unrecognised syslog facility/priority in snort Mayur Patil (Oct 09)
- Re: Unrecognised syslog facility/priority in snort Mayur Patil (Oct 11)
- Re: Unrecognised syslog facility/priority in snort Mayur Patil (Oct 11)
- Re: Unrecognised syslog facility/priority in snort Mayur Patil (Oct 11)
- Re: Unrecognised syslog facility/priority in snort Mayur Patil (Oct 11)
- Message not available
- Re: Unrecognised syslog facility/priority in snort Mayur Patil (Oct 13)
- Re: Unrecognised syslog facility/priority in snort praveen_recker . (Oct 13)
- Message not available
- Fwd: Unrecognised syslog facility/priority in snort Mayur Patil (Oct 17)
- Re: Fwd: Unrecognised syslog facility/priority in snort Peter Bates (Oct 18)
- Re: Unrecognised syslog facility/priority in snort Mayur Patil (Oct 09)