Exporting Snort alerts via syslog to an external syslog server
4,191 views
Skip to first unread message
Evan Pols
Apr 16, 2012, 10:10:59 AM4/16/12
to security-onion
I'm in the process of building a Security Onion box in a lab and have
not been able to get it to export syslog to my syslog server. So far,
I've tried the following:
added this line to the end of the /etc/rsyslog.conf file:
*.* @<HOSTIP>:514
edited each interface at /etc/nsm/<HOSTNAME>-ethX/snort.conf and
uncommented the following line:
output alert_syslog: LOG_AUTH LOG_ALERT
restarted the services and still don't see syslog. Any ideas? A quick
search revealed that many are trying to setup the Security Onion
install to collect syslog, but I haven't found too much about
exporting it.
not been able to get it to export syslog to my syslog server. So far,
I've tried the following:
added this line to the end of the /etc/rsyslog.conf file:
*.* @<HOSTIP>:514
edited each interface at /etc/nsm/<HOSTNAME>-ethX/snort.conf and
uncommented the following line:
output alert_syslog: LOG_AUTH LOG_ALERT
restarted the services and still don't see syslog. Any ideas? A quick
search revealed that many are trying to setup the Security Onion
install to collect syslog, but I haven't found too much about
exporting it.
scott runnels
Apr 16, 2012, 10:49:24 AM4/16/12
to securit...@googlegroups.com
Hi Evan,
Have you tried using something like
output alert_syslog: HOSTIP:514, LOG_AUTH LOG_ALERT
?
I'm pretty sure snort still supports going straight to a syslog server.
v/r
Scott
Evan Pols
Apr 16, 2012, 11:21:48 AM4/16/12
to security-onion
I'll give that a shot, but I thought that was mostly just for Windows
systems. I went ahead and updated snort.conf to be:
# syslog
output alert_syslog:xx.xx.xx.xx:514,LOG_AUTH LOG_ALERT
I'll watch it and see if I get anything.
systems. I went ahead and updated snort.conf to be:
# syslog
output alert_syslog:xx.xx.xx.xx:514,LOG_AUTH LOG_ALERT
I'll watch it and see if I get anything.
Evan Pols
Apr 16, 2012, 11:27:20 AM4/16/12
to security-onion
I went ahead and changed the snort.conf to be the following:
# syslog
output alert_syslog:IP:514,LOG_AUTH LOG_ALERT
So I'll see if that fixes it..
# syslog
output alert_syslog:IP:514,LOG_AUTH LOG_ALERT
So I'll see if that fixes it..
Evan Pols
Apr 17, 2012, 11:18:47 AM4/17/12
to security-onion
That didn't work, so I just ended up using
output alert_syslog:LOG_AUTH LOG_ALERT
in the snort.conf and then
*.* @IP:514
in the rsyslog.conf
This sends all system messages to it, but at least works, and then I
can filter out the other stuff later. If I knew the proper syntax, I
could use something like:
LOG_AUTH LOG_ALERT @IP:514
But I couldn't get that to work properly, so in the interest of
getting it working for now, I am just sending all logs.
output alert_syslog:LOG_AUTH LOG_ALERT
in the snort.conf and then
*.* @IP:514
in the rsyslog.conf
This sends all system messages to it, but at least works, and then I
can filter out the other stuff later. If I knew the proper syntax, I
could use something like:
LOG_AUTH LOG_ALERT @IP:514
But I couldn't get that to work properly, so in the interest of
getting it working for now, I am just sending all logs.
Reply all
Reply to author
Forward
0 new messages