Re: Snort-users Digest, Vol 108, Issue 36

["Miller, Mike" <Mike.J.Miller () ihs com>]

Yeah, I'm not finding any joy with that. Mostly because I'm using Security Onion, and it does things it wants to do 
with Syslog. It's really bizarre that I can't get Barnyard to output the severity and facility...that's a bog stock 
syslog format thing to do. 

I'm scripting a small fleet of these things and altering a conf file to produce the right output is do-able, installing 
a second syslog facility on another port so it can filter to the right format doesn't seem like the right way to go 
about it. 

-----Original Message-----
Message: 4
Date: Mon, 18 May 2015 11:14:08 -0600
From: James Lay <jlay () slave-tothe-box net>
Subject: Re: [Snort-users] Barnyard2, Syslog and formatting.
To: snort-users () lists sourceforge net
Message-ID: <7ad3f42241215b9d8015a9594701306f@localhost>
Content-Type: text/plain; charset=UTF-8; format=flowed

On 2015-05-18 07:50 AM, Miller, Mike wrote:
> I?m going through and modernizing our IDS fleet and am running into 
> the following problem:
>
> The part that works:
> ================
> The first screenshot, is the production server, it's syslogging using 
> rsyslog to an RSA SIEM. The RSA sees, parses, and is happy with it.
> It?s
> using Snort to post to local syslog without Barnyard, the syslog 
> daemon then forwards it to the SIEM.
>
> rsyslog.conf line is just *.* 10.242.3.230, and the snort.conf output 
> line looks like:
>
> output alert_syslog: log_local7 log_alert
>
> http://imgur.com/ckhN3vr,wxu5OyH#0
>
>
> The part that doesn't:
> =================
> The second grab is the test server, on the same segment, and it's 
> using
> barnyard2 to send syslog directly to the same server....it's output 
> looks like this:
>
> http://imgur.com/ckhN3vr,wxu5OyH#1
>
> the configs for barnyard2 look like:
>
> output alert_syslog: host=10.242.3.230, LOG_AUTH LOG_ALERT
>
>
> The SIEM receives the traffic, but it doesn't know how to parse it, 
> because it doesn't appear like the syslog format it expects. (I 
> suspect because it?s missing Facility and Severity)
>
> Any idea what I'm missing?

Mike,

In setting up barnyard2 for logstash I found that I had to have logstash just set up as a generic UDP listener.  From 
there barnyard2:

output alert_syslog_full: sensor_name external, server x.x.x.x, protocol udp, port 5514

That seems to work, but did require tweaking on the receiving end.  Hope that helps.

James

Attachment: PGP.sig
Description:

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!