Snort mailing list archives
Re: Issues with remote syslog and snort.conf
From: James Lay <jlay () slave-tothe-box net>
Date: Sat, 26 Jul 2014 14:47:51 -0600
On Sat, 2014-07-26 at 15:30 -0400, Stephen Gantz wrote:
James, Is your syslog host your gateway? You have the host in the first alert line as 192.168.1.1. If it is the same box you are running Snort on, you can just use local host instead, like this: output alert_syslog: host=127.0.0.1:514, LOG_AUTH LOG_ALERT Otherwise, maybe you meant to have 192.168.1.253 in there. I was under the impression that the comma separator (in your first line, but not the second) is required. I have never tried to list the host last instead of first, but I have never had any trouble listing the host first. One other thing to try: are you using -s in your startup command for Snort? I have found that the -s option is needed, even when snort.conf is configured properly for syslog output. I know this is counter to the documentation, but you might try adding -s to the startup string. Dr. Stephen D. Gantz CISSP-ISSAP, CEH, CGEIT, CRISC, CIPP/G, C|CISO Professor of Information Assurance The Graduate School University of Maryland University College stephen.gantz () faculty umuc edu On Jul 26, 2014, at 2:31 PM, James Lay <jlay () slave-tothe-box net> wrote:From the docs:2.6.1.3 Example output alert_syslog: host=10.1.1.1:514, <facility> <priority> <options> I have not been successful in getting this to work with either: output alert_syslog: host=192.168.1.1:514, LOG_AUTH LOG_ALERT output alert_syslog: LOG_AUTH LOG_ALERT host=192.168.1.253:514 both get me: WARNING: snort.conf (171) => Unrecognized syslog facility/priority: host=192.168.1.1:514 Is there something I'm missing to get this to go? I know barnyard can do this, but I'm not wanting to go down that path yet. Thank you. James ------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Well I'll be....yep as soon as I added -s it works like a champ...that doesn't make sense. Hey Joel would we consider this a bug? To recap: output alert_syslog: LOG_AUTH LOG_ALERT the above works without -s output alert_syslog: host=192.168.1.1:514, LOG_AUTH LOG_ALERT the above requires -s Thank you...and thanks Stephen....good to see someone from my alma mater on the list :) James
------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Issues with remote syslog and snort.conf James Lay (Jul 26)
- Re: Issues with remote syslog and snort.conf Y M (Jul 26)
- Re: Issues with remote syslog and snort.conf Y M (Jul 26)
- Re: Issues with remote syslog and snort.conf James Lay (Jul 26)
- Re: Issues with remote syslog and snort.conf Stephen Gantz (Jul 26)
- Re: Issues with remote syslog and snort.conf James Lay (Jul 26)
- Re: Issues with remote syslog and snort.conf Y M (Jul 26)
- Re: Issues with remote syslog and snort.conf James Lay (Jul 26)
- Re: Issues with remote syslog and snort.conf Y M (Jul 26)