Snort Alerts to SIEM via syslog with barnyard2.conf -- not working
3,408 views
Skip to first unread message
Michael Logoyda
May 12, 2014, 6:12:26 PM5/12/14
to securit...@googlegroups.com
I've been trying to send Snort alerts to my SIEM via the barnyard2.conf file. Following the third party integration page (https://code.google.com/p/security-onion/wiki/ThirdPartyIntegration) and several other posts here, I've been trying both /etc/nsm/$tap/barnyard2.con and barnyard2-1.conf with the following syntax (none of them work):
output alert_syslog: host=10.128.64.73, LOG_AUTH LOG_ALERT
output alert_syslog: host=10.128.64.73 LOG_AUTH LOG_ALERT
output alert_syslog: host=10.128.64.73:514, LOG_AUTH LOG_ALERT
output alert_syslog: host=10.128.64.73:514, LOG_ALERT
I haven't changed anything else in the .conf's. What is the proper syntax? Is there anything else that might be preventing the .conf from outputting to syslog?
Doug Burks
May 13, 2014, 7:31:32 AM5/13/14
to securit...@googlegroups.com
Hi Michael,
As mentioned on the ThirdPartyIntegration page, we don't really
support third-party integration, but here are a few questions that
might set you in the right direction.
Did you restart all barnyard2 instances after modifying your config files?
Have you tried googling for example syntax of configuring barnyard2 to
send to an external syslog?
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
As mentioned on the ThirdPartyIntegration page, we don't really
support third-party integration, but here are a few questions that
might set you in the right direction.
Did you restart all barnyard2 instances after modifying your config files?
Have you tried googling for example syntax of configuring barnyard2 to
send to an external syslog?
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
David Vasil
May 13, 2014, 8:33:03 AM5/13/14
to securit...@googlegroups.com
You could try the following:
output alert_syslog: LOG_LOCAL6 LOG_ALERT
and have your local syslog-ng set to forward your snort logs accordingly. That is how I configured mine and it works as expected.
-david vasil
Michael Logoyda
May 22, 2014, 1:36:29 PM5/22/14
to securit...@googlegroups.com
So it turns out that alert_syslog doesn't work the same way in barnyard as it does in Snort. Even though I see that all over the place (maybe it did at some point?), the actual barnyard2 git references show that alert_syslog doesn't allow the output to be specified. Instead, I was able to successfully use log_syslog_full to send directly from barnyard.
So for anyone looking to send syslog to a SIEM or anything else, I did a quick write-up here: http://blog.logrhythm.com/uncategorized/integrating-snort-alerts-with-logrhythm-via-barnyard2/
Samson H
May 23, 2014, 9:22:11 AM5/23/14
to securit...@googlegroups.com
Very cool! Thank you for the write-up!
CB
Feb 9, 2015, 3:55:11 AM2/9/15
to securit...@googlegroups.com
I have it working this way:
output log_syslog_full: sensor_name <yoursensorname>, server <SyslogServerIp>, protocol udp, port <514??>, operation_mode default
output log_syslog_full: sensor_name <yoursensorname>, server <SyslogServerIp>, protocol udp, port <514??>, operation_mode default
Jeremy Roberts
Nov 20, 2017, 10:21:58 AM11/20/17
to security-onion
On Thursday, May 22, 2014 at 1:36:29 PM UTC-4, Michael Logoyda wrote:
> So it turns out that alert_syslog doesn't work the same way in barnyard as it does in Snort. Even though I see that all over the place (maybe it did at some point?), the actual barnyard2 git references show that alert_syslog doesn't allow the output to be specified. Instead, I was able to successfully use log_syslog_full to send directly from barnyard.
>
> So for anyone looking to send syslog to a SIEM or anything else, I did a quick write-up here: http://blog.logrhythm.com/uncategorized/integrating-snort-alerts-with-logrhythm-via-barnyard2/
> So it turns out that alert_syslog doesn't work the same way in barnyard as it does in Snort. Even though I see that all over the place (maybe it did at some point?), the actual barnyard2 git references show that alert_syslog doesn't allow the output to be specified. Instead, I was able to successfully use log_syslog_full to send directly from barnyard.
>
> So for anyone looking to send syslog to a SIEM or anything else, I did a quick write-up here: http://blog.logrhythm.com/uncategorized/integrating-snort-alerts-with-logrhythm-via-barnyard2/
DO you have a copy of this write up, i tried to access it and it no longer appears. I am pulling my hair out trying to get this thing to work in this fashion. thanks!
Wes
Nov 20, 2017, 11:46:24 AM11/20/17
to security-onion
Jeremy,
Have you tried following the steps here?
https://github.com/Security-Onion-Solutions/security-onion/wiki/ThirdPartyIntegration
Thanks,
Wes
Jeremy Roberts
Nov 20, 2017, 11:48:32 AM11/20/17
to securit...@googlegroups.com
Im working on that, there were some complaints that i was sending the logs from BRO instead of suricata itself. Is there a way to disable BRO? i guess the plan is to disable bro and send from suricata in the barnyard file
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/MgarbwDirEQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
Wes
Nov 20, 2017, 11:53:19 AM11/20/17
to security-onion
On Monday, November 20, 2017 at 11:48:32 AM UTC-5, Jeremy Roberts wrote:
> Im working on that, there were some complaints that i was sending the logs from BRO instead of suricata itself. Is there a way to disable BRO? i guess the plan is to disable bro and send from suricata in the barnyard file
>
>
> On Mon, Nov 20, 2017 at 11:46 AM, Wes <wlamb...@gmail.com> wrote:
> On Monday, November 20, 2017 at 10:21:58 AM UTC-5, Jeremy Roberts wrote:
>
> > On Thursday, May 22, 2014 at 1:36:29 PM UTC-4, Michael Logoyda wrote:
>
> > > So it turns out that alert_syslog doesn't work the same way in barnyard as it does in Snort. Even though I see that all over the place (maybe it did at some point?), the actual barnyard2 git references show that alert_syslog doesn't allow the output to be specified. Instead, I was able to successfully use log_syslog_full to send directly from barnyard.
>
> > >
>
> > > So for anyone looking to send syslog to a SIEM or anything else, I did a quick write-up here: http://blog.logrhythm.com/uncategorized/integrating-snort-alerts-with-logrhythm-via-barnyard2/
>
> >
>
> > DO you have a copy of this write up, i tried to access it and it no longer appears. I am pulling my hair out trying to get this thing to work in this fashion. thanks!
>
>
>
> Jeremy,
>
>
>
> Have you tried following the steps here?
>
>
>
> https://github.com/Security-Onion-Solutions/security-onion/wiki/ThirdPartyIntegration
>
>
>
> Thanks,
>
> Wes
>
>
>
>
>
> --
>
> Follow Security Onion on Twitter!
>
> https://twitter.com/securityonion
>
> ---
>
> You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
>
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/MgarbwDirEQ/unsubscribe.
>
> To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.> Im working on that, there were some complaints that i was sending the logs from BRO instead of suricata itself. Is there a way to disable BRO? i guess the plan is to disable bro and send from suricata in the barnyard file
>
>
> On Mon, Nov 20, 2017 at 11:46 AM, Wes <wlamb...@gmail.com> wrote:
> On Monday, November 20, 2017 at 10:21:58 AM UTC-5, Jeremy Roberts wrote:
>
> > On Thursday, May 22, 2014 at 1:36:29 PM UTC-4, Michael Logoyda wrote:
>
> > > So it turns out that alert_syslog doesn't work the same way in barnyard as it does in Snort. Even though I see that all over the place (maybe it did at some point?), the actual barnyard2 git references show that alert_syslog doesn't allow the output to be specified. Instead, I was able to successfully use log_syslog_full to send directly from barnyard.
>
> > >
>
> > > So for anyone looking to send syslog to a SIEM or anything else, I did a quick write-up here: http://blog.logrhythm.com/uncategorized/integrating-snort-alerts-with-logrhythm-via-barnyard2/
>
> >
>
> > DO you have a copy of this write up, i tried to access it and it no longer appears. I am pulling my hair out trying to get this thing to work in this fashion. thanks!
>
>
>
> Jeremy,
>
>
>
> Have you tried following the steps here?
>
>
>
> https://github.com/Security-Onion-Solutions/security-onion/wiki/ThirdPartyIntegration
>
>
>
> Thanks,
>
> Wes
>
>
>
>
>
> --
>
> Follow Security Onion on Twitter!
>
> https://twitter.com/securityonion
>
> ---
>
> You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
>
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/MgarbwDirEQ/unsubscribe.
>
>
> To post to this group, send email to securit...@googlegroups.com.
>
> Visit this group at https://groups.google.com/group/security-onion.
>
> For more options, visit https://groups.google.com/d/optout.
That shouldn't be the case if you are following the steps here:
and not above that portion.
You shouldn't need to disable Bro to do so.
Thanks,
Wes
Message has been deleted
Daniel Rieille
Aug 6, 2018, 2:14:13 AM8/6/18
to securit...@googlegroups.com
Hi Jesus,
Personnaly I've added an output module (output alert_syslog: log_local5 log_alert for each snort sensor and used syslog-ng.cong for redirecting local5 output directly to an external syslog server or to the central master OS and from there to the remote syslog sever.
Hope this helps
Dan
Le dim. 5 août 2018 à 06:40, Jesus Padro <jdp...@gmail.com> a écrit :
Wes
As you are aware I have recently deployed a distributed architecture (1 Master / 5 minions soon to be 10). What I would like to do know is also forward the Suricata alerts processed by the Master to our centralized syslog server.
In looking at the link you provided in a previous reply, the location given within that link points to /var/log/nsm/securityonion/sguild.log on the Master. Looking at the contents within this file it would seem that this is data related to the connection state of the minions and their interaction with the Master, some database activities are also collected within this file. What I do not see is Suricata Alert data.
So since I am utilizing the latest greatest SecurityOnion for my distributed deployment I would like to ask which log file contains the suricata alert data, so that I can correct the necessary source entry within syslog-ng to deliver those alers to my centralized syslog collector for long term storage. My retention period for this segment is 2 years of alert data.
Thanks
Jesus
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
Jesus Padro
Aug 8, 2018, 2:27:04 AM8/8/18
to security-onion
Dan
Interesting you mention adding the output module to each snort instance, did you add it to Barnyard2 on the sensor/minion. I ask since I have seen a similar output module written within to each of the barnyard2 conf files (6 total) within my minion. By default the following output model is listed;
output alert_syslog: LOG_LOCAL6 LOG_ALERT
Would you be willing to share those entries within your syslog-ng.conf file. Just x.x.x.x the remote server IP from that output.
Merci
Jesus
Interesting you mention adding the output module to each snort instance, did you add it to Barnyard2 on the sensor/minion. I ask since I have seen a similar output module written within to each of the barnyard2 conf files (6 total) within my minion. By default the following output model is listed;
output alert_syslog: LOG_LOCAL6 LOG_ALERT
Would you be willing to share those entries within your syslog-ng.conf file. Just x.x.x.x the remote server IP from that output.
Merci
Jesus
Daniel Rieille
Aug 8, 2018, 3:20:14 AM8/8/18
to securit...@googlegroups.com
Jesus,
No, I did'nt add it to barnayrd2, which I only use for Sguil.
In syslog-ng.conf, I'm filtering the localx output from snort and redirecting it directly to the remote syslog server xx.xx.xx.xx.
I'm using both system, legacy snort systems with new ones running on SO, and all the boxes forward the snort alerts (using the same format) to the remote syslog server, then to a central SIEM.
And it works perfectly.
Hope this helps
Dan
Reply all
Reply to author
Forward
0 new messages