Forward snort events to remote syslog server on Security Onion

[wei...@gmail.com]

I am new to Security Onion. I have successfully installed Security Onion (mostly using the method described on http://www.drchaos.com/ultimate-guide-to-installing-security-onion-with-snort-and-snorby/ and http://www.drchaos.com/fine-tuning-snort-rules-in-security-onion/).

I have Snorby running, am getting alerts in my dashboard, and things seem to be working fine.

I want to forward my IDS/Snort logs so to an external syslog server. How do I do that?

I went to /etc/nsm/sec-onion-eth1/snort.conf and added the line:

output alert_syslog: 10.0.1.33:514, LOG_AUTH LOG_ALERT

I also went to /etc/rsyslog.conf and added the line:

#$UDPServerRun 514
*.* @10.0.1.33:514
*.*@10.0.1.33:514

(wasn't sure if their needed to be a space before the "@" symbol.

None of those methods worked, and I am still not seeing snort events being forwarded to my syslog server.

[Doug Burks]

Hi weiss96,

Take a look at /etc/nsm/sec-onion-eth1/barnyard2*.conf. 

--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/groups/opt_out.

--
Doug Burks

[Stafford Waltho]

Hi Doug

Is it possible to send IDS logs to Kiwi Syslog server ? If so how would I do this, what file(s) would I need to modify? Any help would be appreciated.

[Doug Burks]

Hi Stafford,

Have you seen the following page on our wiki?
https://github.com/Security-Onion-Solutions/security-onion/wiki/ThirdPartyIntegration


--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com