Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Syslog How To

From: Erek Adams <erek () snort org>
Date: Thu, 17 Jul 2003 09:56:54 -0400 (EDT)
On Thu, 17 Jul 2003, Jason wrote:


I would like to send alerts to a remote syslog server. I am new to Snort
(and linux) and dont understand how to configure this. My snorf.conf
file has the "output alert_syslog: LOG_AUTH LOG_ALERT LOG_NDELAY" line.
I have a windows server running kiwi syslog and would like to log to
that. Would anyone be generous enough to send me their configuration
file so I have something to reference. I have several other questions
about the snort.conf file and this could possibly clear up some
confusion. Thanks for the help,


It's actually simple.

First:  What OS are you running on your sensor?  I think from what you
wrote that it's a version of Linux, so I'll work with that.

Second:  Make whatever changes you need to syslog.conf.  Once the changes
are made, send a HUP to syslogd.

Third:  Start Snort.  :)

Now, since you say you're new to Linux I'm going to assume that step 2 and
3 might give you a bit of fun.  :)  'man syslog.conf' for starters.
Basically it's the file that syslogd uses for it's config info.  If you
add a line something like:

             auth.alert                             @some.host.somewhere

Now, you can do more things, but that's the most basic.

If you're not familiar, 'sending a HUP' means that you send a HUP signal
to the syslogd daemon.

        ps -ef  (or ps -auxww) |grep syslogd

You'll see a line that looks something like:

  root 15028 0.0 0.0 100 380 ??  Is 12:40PM 0:00.35 syslogd

The process ID is 15028.

  kill -HUP 15028

That should get you going.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: