Barnyard2, Syslog and formatting.

["Miller, Mike" <Mike.J.Miller () ihs com>]

I¹m going through and modernizing our IDS fleet and am running into the
following problem:

The part that works:
================ 
The first screenshot, is the production server, it's syslogging using
rsyslog to an RSA SIEM. The RSA sees, parses, and is happy with it. It¹s
using Snort to post to local syslog without Barnyard, the syslog daemon
then forwards it to the SIEM.

rsyslog.conf line is just *.* 10.242.3.230, and the snort.conf output line
looks like: 

output alert_syslog: log_local7 log_alert

http://imgur.com/ckhN3vr,wxu5OyH#0


The part that doesn't:
================= 
The second grab is the test server, on the same segment, and it's using
barnyard2 to send syslog directly to the same server....it's output looks
like this: 

http://imgur.com/ckhN3vr,wxu5OyH#1

the configs for barnyard2 look like:

output alert_syslog: host=10.242.3.230, LOG_AUTH LOG_ALERT


The SIEM receives the traffic, but it doesn't know how to parse it,
because it doesn't appear like the syslog format it expects. (I suspect
because it¹s missing Facility and Severity)

Any idea what I'm missing?


------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!