Snort mailing list archives
Re: snort log to remote syslog
From: Robert Millott <robm () millottandassociates com>
Date: Wed, 2 Jul 2014 18:04:00 -0400
Im using snort 2.9.6 on a Gentoo box. I've use barnyard2 before to send logs to a mysql database, with a snorby front end, but now I am using an arcsight seim. Isn't installing barnyard allot of overhead, just to dump the alerts to a syslog server to be picked up by the seim? Some of our sensors are already seeing more traffic than they can handle, so we have some serious tuning to do, so I don't want to be running more apps on the box if I dont' need to. Thanx for the reply On Wed, Jul 2, 2014 at 4:27 PM, Jaime Nebrera <jnebrera () redborder org> wrote:
What Snort are you using? Sending syslog messages directly from Snort is like ages old and deprecated Instead you have to configure barnyard2 or similar to do so El 02/07/2014 17:18, "Robert Millott" <robm () millottandassociates com> escribió:I am trying to get snort to send my alerts to a remote syslog server. I have configured snort to log to the local /var/log/messages, then using syslog-ng to forward logs to remote syslog server using: output alert_syslog: LOG_AUTH LOG_ALERT but I want to change it so snort send directly to the remote server. I edited snort.conf and change the output line to output alert_syslog: host=xxx.xxx.xxx.xxx:1516, LOG_AUTH LOG_ALERT but when I start snort I get WARNING: /etc/snort/snort.conf (531) => Unrecognized syslog facility/priority: host=xxx.xxx.xxx.xxx:1516, I have looked over the manual and copied that line directly from it, but I still get the error. Am I missing something? On Wed, Jul 2, 2014 at 10:45 AM, Robert Millott < robm () millottandassociates com> wrote:I am trying to get snort to send my alerts to a remote syslog server. I have configured snort to log to the local /var/log/messages, then using syslog-ng to forward logs to remote syslog server using: output alert_syslog: LOG_AUTH LOG_ALERT but I want to change it so snort send directly to the remote server. I edited snort.conf and change the output line to output alert_syslog: host=xxx.xxx.xxx.xxx:1516, LOG_AUTH LOG_ALERT but when I start snort I get WARNING: /etc/snort/snort.conf (531) => Unrecognized syslog facility/priority: host=xxx.xxx.xxx.xxx:1516, I have looked over the manual and copied that line directly from it, but I still get the error. Am I missing something? -- Robert Millott President, Millott and Associates (443) 255-3588-- Robert Millott President, Millott and Associates (443) 255-3588 ------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- Robert Millott President, Millott and Associates (443) 255-3588
------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: snort log to remote syslog Robert Millott (Jul 02)
- Re: snort log to remote syslog Y M (Jul 02)
- Message not available
- Re: snort log to remote syslog Robert Millott (Jul 02)