Sending snort logs to LogRhythm SIEM

[Monah Baki]

Trying to follow the steps in https://blog.logrhythm.com/security/integrating-snort-alerts-with-logrhythm-via-barnyard2/


I just need the snort events, so in my barnyard2-1.conf:

output log_syslog_full: sensor_name $your_sensor_name, server $your_log_manager_ip, log_priority log_alert, operation_mode default


Nothing shows up in LogRhythm SIEM, and if I run tcpdump on my promiscuous interface on port 514, no results show up.


Thanks
Monah

[Doug Burks]

Hi Monah,

Please see:
https://code.google.com/p/security-onion/wiki/ThirdPartyIntegration#Support

> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.



--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com

[CB]

Modify the config file /etc/nsm/<sensor name>/barnyard.conf

comment out the default line and enter:

output log_syslog_full: sensor_name <sensor name>, server <logRythm IP>, protocol udp, port 514, operation_mode default

if you want the packet data also:

output log_syslog_full: sensor_name <sensor name>, server <logRythm IP>, protocol udp, port 514, operation_mode complete

[Ric Woodard]

Monah, I've added the following line into each each barynard.conf file on every sensor and they forward successfully to my LogRhythm SIEM.

output log_syslog_full: sensor_name SENSOR-eth0-1, server LOGRHYTHMIP, log_priority log_alert, operation_mode default