Re: snort log to remote syslog

[Robert Millott <robm () millottandassociates com>]

Im using snort 2.9.6 on a Gentoo box.
I've use barnyard2 before to send logs to a mysql database, with a snorby
front end, but now I am using an arcsight seim.  Isn't installing barnyard
allot of overhead, just to dump the alerts to a syslog server to be picked
up by the seim?  Some of our sensors are already seeing more traffic than
they can handle, so we have some serious tuning to do, so I don't want to
be running more apps on the box if I dont' need to.

Thanx for the reply


On Wed, Jul 2, 2014 at 4:27 PM, Jaime Nebrera <jnebrera () redborder org>
wrote:

> What Snort are you using?
>
> Sending syslog messages directly from Snort is like ages old and
> deprecated
>
> Instead you have to configure barnyard2 or similar to do so
> El 02/07/2014 17:18, "Robert Millott" <robm () millottandassociates com>
> escribió:
>
> >  I am trying to get snort to send my alerts to a remote syslog server.
> >  I have configured snort to log to the local /var/log/messages, then using
> > syslog-ng to forward logs to remote syslog server using:
> >
> > output alert_syslog: LOG_AUTH LOG_ALERT
> >
> > but I want to change it so snort send directly to the remote server.  I
> > edited snort.conf and change the output line to
> >
> > output alert_syslog: host=xxx.xxx.xxx.xxx:1516, LOG_AUTH LOG_ALERT
> >
> > but when I start snort I get
> > WARNING: /etc/snort/snort.conf (531) => Unrecognized syslog
> > facility/priority: host=xxx.xxx.xxx.xxx:1516,
> >
> > I have looked over the manual and copied that line directly from it, but
> > I still get the error.
> >
> > Am I missing something?
> >
> >
> > On Wed, Jul 2, 2014 at 10:45 AM, Robert Millott <
> > robm () millottandassociates com> wrote:
> >
> > > I am trying to get snort to send my alerts to a remote syslog server.  I
> > > have configured snort to log to the local /var/log/messages, then using
> > > syslog-ng to forward logs to remote syslog server using:
> > >
> > > output alert_syslog: LOG_AUTH LOG_ALERT
> > >
> > > but I want to change it so snort send directly to the remote server.  I
> > > edited snort.conf and change the output line to
> > >
> > > output alert_syslog: host=xxx.xxx.xxx.xxx:1516, LOG_AUTH LOG_ALERT
> > >
> > > but when I start snort I get
> > > WARNING: /etc/snort/snort.conf (531) => Unrecognized syslog
> > > facility/priority: host=xxx.xxx.xxx.xxx:1516,
> > >
> > > I have looked over the manual and copied that line directly from it, but
> > > I still get the error.
> > >
> > > Am I missing something?
> > >
> > > --
> > > Robert Millott
> > > President, Millott and Associates
> > > (443) 255-3588
> >
> >
> >
> > --
> > Robert Millott
> > President, Millott and Associates
> > (443) 255-3588
> >
> >
> > ------------------------------------------------------------------------------
> > Open source business process management suite built on Java and Eclipse
> > Turn processes into business applications with Bonita BPM Community
> > Edition
> > Quickly connect people, data, and systems into organized workflows
> > Winner of BOSSIE, CODIE, OW2 and Gartner awards
> > http://p.sf.net/sfu/Bonitasoft
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> > Snort news!


-- 
Robert Millott
President, Millott and Associates
(443) 255-3588

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!