|
|
|
|
Snort Forums Archive
Archive Home » Snort Advanced » log alerts to Syslog
Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.
[ Notice: Full Version of This Topic ]
log alerts to Syslog
Posted by kapishmohole on August 06, 2005 08:36:48
Hi,
How to forward Snort alerts to syslog server?
How can I specify syslog server IP and details?
I am doing this
output alert_syslog: LOG_LOCAL0 LOG_LOCAL1 LOG_LOCAL2 LOG_LOCAL3 LOG_LOCAL4 LOG_LOCAL5 LOG_LOCAL6 LOG_LOCAL7 LOG_ALERT
|
|
Posted by jimbo on September 03, 2005 15:09:04
I'm assuming this is on Linux? Sorry for the response 2 months later, I just had this issue and solved it, then I came across this so hopefully I can save someone else the trouble.
You're right on the snort.conf arguments. However, it sends syslog info to the local machine snort is running on. You need to tell the local syslog daemon to send the received info to the remote syslog server. So in actuality, your problem is with the syslog server, not snort (assuming you're getting local syslog events).
The syslog man page has all the details you need. You can have all your local syslog data sent to a remote server, or only specific logging facilities. For only specific facilities, you need to add a "@servername" rather than a logging location such as "/var/log/logname"
Here's a snippet of my /etc/syslog.conf file:
local1; local1.* @192.168.0.101
And one more thing, the remote syslog server needs to be accepting remote connections. I think you need to use the "-r" switch with the syslog daemon. Once I did that, it all worked fine. |
|
Posted by Joel_Esler on September 06, 2005 17:42:18
Just a question, why are you outputting to so many levels?
Joel Esler
SOURCEfire |
|
|
|
|
|
