Re: snort log to remote syslog

[Y M <snort () outlook com>]

Depending on your OS distro, is the facility/priority defined in your syslog configuration? something like LOCAL6  
@remote.syslog.IP.address? And then using the same in your snort.conf. Despite the warning, this should still work. 
Another alternative if you are using Barnyard2 already, is to send the syslog messages to the remote server using 
Barnyard2.
YM

From: robm () millottandassociates com
Date: Wed, 2 Jul 2014 11:16:42 -0400
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] snort log to remote syslog

I am trying to get snort to send my alerts to a remote syslog server.  I have configured snort to log to the local 
/var/log/messages, then using syslog-ng to forward logs to remote syslog server using:


output alert_syslog: LOG_AUTH LOG_ALERT


but I want to change it so snort send directly to the remote server.  I edited snort.conf and change the output line to


output alert_syslog: host=xxx.xxx.xxx.xxx:1516, LOG_AUTH LOG_ALERT
but when I start snort I get 

WARNING: /etc/snort/snort.conf (531) => Unrecognized syslog facility/priority: host=xxx.xxx.xxx.xxx:1516, 


I have looked over the manual and copied that line directly from it, but I still get the error.


Am I missing something?

On Wed, Jul 2, 2014 at 10:45 AM, Robert Millott <robm () millottandassociates com> wrote:


I am trying to get snort to send my alerts to a remote syslog server.  I have configured snort to log to the local 
/var/log/messages, then using syslog-ng to forward logs to remote syslog server using:



output alert_syslog: LOG_AUTH LOG_ALERT
but I want to change it so snort send directly to the remote server.  I edited snort.conf and change the output line to



output alert_syslog: host=xxx.xxx.xxx.xxx:1516, LOG_AUTH LOG_ALERT
but when I start snort I get WARNING: /etc/snort/snort.conf (531) => Unrecognized syslog facility/priority: 
host=xxx.xxx.xxx.xxx:1516, 



I have looked over the manual and copied that line directly from it, but I still get the error.
Am I missing something?


-- 
Robert Millott
President, Millott and Associates

(443) 255-3588




-- 
Robert Millott
President, Millott and Associates
(443) 255-3588



------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!                                        

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!