Snort mailing list archives
Re: Snort-users Digest, Vol 108, Issue 36
From: "Miller, Mike" <Mike.J.Miller () ihs com>
Date: Wed, 20 May 2015 12:21:40 -0600
Yeah, I'm not finding any joy with that. Mostly because I'm using Security Onion, and it does things it wants to do with Syslog. It's really bizarre that I can't get Barnyard to output the severity and facility...that's a bog stock syslog format thing to do. I'm scripting a small fleet of these things and altering a conf file to produce the right output is do-able, installing a second syslog facility on another port so it can filter to the right format doesn't seem like the right way to go about it. -----Original Message----- Message: 4 Date: Mon, 18 May 2015 11:14:08 -0600 From: James Lay <jlay () slave-tothe-box net> Subject: Re: [Snort-users] Barnyard2, Syslog and formatting. To: snort-users () lists sourceforge net Message-ID: <7ad3f42241215b9d8015a9594701306f@localhost> Content-Type: text/plain; charset=UTF-8; format=flowed On 2015-05-18 07:50 AM, Miller, Mike wrote:
I?m going through and modernizing our IDS fleet and am running into the following problem: The part that works: ================ The first screenshot, is the production server, it's syslogging using rsyslog to an RSA SIEM. The RSA sees, parses, and is happy with it. It?s using Snort to post to local syslog without Barnyard, the syslog daemon then forwards it to the SIEM. rsyslog.conf line is just *.* 10.242.3.230, and the snort.conf output line looks like: output alert_syslog: log_local7 log_alert http://imgur.com/ckhN3vr,wxu5OyH#0 The part that doesn't: ================= The second grab is the test server, on the same segment, and it's using barnyard2 to send syslog directly to the same server....it's output looks like this: http://imgur.com/ckhN3vr,wxu5OyH#1 the configs for barnyard2 look like: output alert_syslog: host=10.242.3.230, LOG_AUTH LOG_ALERT The SIEM receives the traffic, but it doesn't know how to parse it, because it doesn't appear like the syslog format it expects. (I suspect because it?s missing Facility and Severity) Any idea what I'm missing?
Mike, In setting up barnyard2 for logstash I found that I had to have logstash just set up as a generic UDP listener. From there barnyard2: output alert_syslog_full: sensor_name external, server x.x.x.x, protocol udp, port 5514 That seems to work, but did require tweaking on the receiving end. Hope that helps. James
Attachment:
PGP.sig
Description:
------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snort-users Digest, Vol 108, Issue 36 Miller, Mike (May 20)
- Re: Snort-users Digest, Vol 108, Issue 36 waldo kitty (May 20)