Snort logs location

[CB]

Guys,
For Simplicity i am using a 3rd party agent for log collection and looking to grab a load of log files individually.

This works great when grabbing multiple bro logs using the bro log directory, such as:

SSH logs using the path: nsm/bro/logs/current/ssh.log

I am looking to do something similar for IDS alerts, my understanding is that these are stored in snorby/sguil/ELSA. They should be in the following log location but this is really noisy /var/log/nsm/securityonion/sguild.log, i am looking for a log file with really just the IDS alerts only

can somebody point me in the right direction please?

[Doug Burks]

Hi CB,

Barnyard sends IDS alerts to syslog (this is how they get to ELSA), so
you could reconfigure syslog to write those IDS alerts to a file and
then monitor that file.

> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.



--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com

[CB]

Hi Doug - that makes sense, although SO works as a FIFO DB so if i was creating a separate log file, how would i ensure this was Purged during intervals to ensure the disk doesn't fill over time?

[Doug Burks]

http://manpages.ubuntu.com/manpages/precise/man8/logrotate.8.html

On Fri, Jun 26, 2015 at 7:40 AM, CB <cr...@advancedcybersecurity.co.uk> wrote:
> Hi Doug - that makes sense, although SO works as a FIFO DB so if i was creating a separate log file, how would i ensure this was Purged during intervals to ensure the disk doesn't fill over time?
>

[CB]

Thanks Doug - is this not the way the SO created logs are rotated?

so all i would really need to do is modify the pulledpork.conf file to write the logs to a location such as /var/log/idslogstore and then add a line ot the logrotate.conf file as below?

# Rotate the IDS logs

/var/log/idslogstore {
rotate 5
weekly
postrotate
/usr/bin/killall -HUP syslogd
endscript
}

[Doug Burks]

On Fri, Jun 26, 2015 at 8:32 AM, CB <cr...@advancedcybersecurity.co.uk> wrote:
> Thanks Doug - is this not the way the SO created logs are rotated?

Some are rotated by logrotate, others are rotated by the NSM scripts themselves.

> so all i would really need to do is modify the pulledpork.conf file

you mean syslog-ng.conf?

> to write the logs to a location such as /var/log/idslogstore and then add a line ot the logrotate.conf file

Probably better to create your own file in /etc/logrotate.d/.

> as below?
>
> # Rotate the IDS logs
>
> /var/log/idslogstore {
> rotate 5
> weekly
> postrotate
> /usr/bin/killall -HUP syslogd
> endscript
> }

Try it and see!