RE: Snort Syslog Alerts on Win32

["L. Christopher Luther" <CLuther () Xybernaut com>]

My previous posts on this subject somewhat explain the issue, but in a nut
shell:  

My initial question was how to use "output alert_syslog" to send syslog
alerts to a remote syslog daemon.  After posting this question to the list,
I installed a local syslog daemon on the Snort box in order to see what type
of output was being generated.  What I found was that Snort was not
generating syslog messages but was instead populating the Application Event
Log on my WinNT4 Snort box.  

In snort.conf (a WinNT4 Snort 1.8.6 box) I've got the statement "output
alert_syslog: LOG_AUTHPRIV LOG_ALERT".  There are other output statements
(e.g., alert_fast, database), but it seems that it is the "alert_syslog"
statement that is causing Snort to send alert information to the local
Application Event Log.  My examination of the source code from the Snort
1.8.6 tar ball (i.e., \snort-1.8.6\win32\WIN32-Code\syslog.c in
snort-1.8.6.tar.gz) that confirmed that Snort's "alert_syslog" functionality
under Win32 was dumping stuff to the Event Log and not a syslog daemon.  

And the reason I don't use the alert/log command line parameters (e.g., "-A
fast") is because it is my understanding and experience that these override
the alert/log output plug-ins specified in snort.conf.   

Hope this explains things better.  


-----Original Message-----
From: Rich Adamson [mailto:radamson () routers com]
Sent: Saturday, January 04, 2003 6:22 PM
To: L. Christopher Luther
Cc: Snort-Users (E-mail)
Subject: RE: [Snort-users] Snort Syslog Alerts on Win32



> Unfortunately, using the command line parameter for syslog is 
> not an option, exactly because I don't want to clobber the other 
> output plug-ins in the snort.conf file.  And it probably will not 
> work anyway under Win32 (see the post/rant I just sent to the list).  
> It appears that  "syslog" under Win32 really means "Event Log", 
> which just will not do. 
>
> Presuming that Snort under Win32 will some day really support syslog 
> output, hopefully then there will also be a "host=" and "port="
> option for the alert_syslog plug-in. 

Not sure why the rant, but I've been using snort (v1.8.x -> current)
with local and remote syslog consistently on a Win2kPro box (as well 
as Linux). Nothing goes to the Event Log.

Before ranting further, it might be helpful to those on the list to
understand exactly what you're trying to accomplish.