Re: Issues with remote syslog and snort.conf

[Stephen Gantz <stephen.gantz () faculty umuc edu>]

James,

Is your syslog host your gateway? You have the host in the first alert line as 192.168.1.1. If it is the same box you 
are running Snort on, you can just use local host instead, like this:

output alert_syslog: host=127.0.0.1:514, LOG_AUTH LOG_ALERT

Otherwise, maybe you meant to have 192.168.1.253 in there. I was under the impression that the comma separator (in your 
first line, but not the second) is required. I have never tried to list the host last instead of first, but I have 
never had any trouble listing the host first.

One other thing to try: are you using -s in your startup command for Snort? I have found that the -s option is needed, 
even when snort.conf is configured properly for syslog output. I know this is counter to the documentation, but you 
might try adding -s to the startup string.


Dr. Stephen D. Gantz
CISSP-ISSAP, CEH, CGEIT, CRISC, CIPP/G, C|CISO
Professor of Information Assurance
The Graduate School
University of Maryland University College
stephen.gantz () faculty umuc edu

> On Jul 26, 2014, at 2:31 PM, James Lay <jlay () slave-tothe-box net> wrote:
>
> > From the docs:
>
> 2.6.1.3 Example
>     output alert_syslog: host=10.1.1.1:514, <facility> <priority> <options>
>
> I have not been successful in getting this to work with either:
>
> output alert_syslog: host=192.168.1.1:514, LOG_AUTH LOG_ALERT
> output alert_syslog: LOG_AUTH LOG_ALERT host=192.168.1.253:514
>
> both get me:
> WARNING: snort.conf (171) => Unrecognized syslog facility/priority: host=192.168.1.1:514
>
> Is there something I'm missing to get this to go?  I know barnyard can do this, but I'm not wanting to go down that 
> path yet.  Thank you.
>
> James
>
>
> ------------------------------------------------------------------------------
> Want fast and easy access to all the code in your enterprise? Index and
> search up to 200,000 lines of code with a free copy of Black Duck
> Code Sight - the same software that powers the world's largest code
> search on Ohloh, the Black Duck Open Hub! Try it now.
> http://p.sf.net/sfu/bds
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!