Re: Issues with remote syslog and snort.conf

[Y M <snort () outlook com>]

From: jlay () slave-tothe-box net
To: snort-users () lists sourceforge net
Date: Sat, 26 Jul 2014 14:47:51 -0600
Subject: Re: [Snort-users] Issues with remote syslog and snort.conf




  
  


On Sat, 2014-07-26 at 15:30 -0400, Stephen Gantz wrote:

    James,


    

    



    Is your syslog host your gateway? You have the host in the first alert line as 192.168.1.1. If it is the same box 
you are running Snort on, you can just use local host instead, like this:


    

    



    output alert_syslog: host=127.0.0.1:514, LOG_AUTH LOG_ALERT

    

    Otherwise, maybe you meant to have 192.168.1.253 in there. I was under the impression that the comma separator (in 
your first line, but not the second) is required. I have never tried to list the host last instead of first, but I have 
never had any trouble listing the host first.


    

    



    One other thing to try: are you using -s in your startup command for Snort? I have found that the -s option is 
needed, even when snort.conf is configured properly for syslog output. I know this is counter to the documentation, but 
you might try adding -s to the startup string.


    

    



    

    Dr. Stephen D. Gantz


    CISSP-ISSAP, CEH, CGEIT, CRISC, CIPP/G, C|CISO


    Professor of Information Assurance


    The Graduate School


    University of Maryland University College


    stephen.gantz () faculty umuc edu


    

    On Jul 26, 2014, at 2:31 PM, James Lay <jlay () slave-tothe-box net> wrote:

    

    



    
        >From the docs: 

        2.6.1.3 Example

            output alert_syslog: host=10.1.1.1:514, <facility> <priority> <options>

        

        I have not been successful in getting this to work with either:

        

        output alert_syslog: host=192.168.1.1:514, LOG_AUTH LOG_ALERT

        output alert_syslog: LOG_AUTH LOG_ALERT host=192.168.1.253:514

        

        both get me:

        WARNING: snort.conf (171) => Unrecognized syslog facility/priority: host=192.168.1.1:514

        

        Is there something I'm missing to get this to go?  I know barnyard can do this, but I'm not wanting to go down 
that path yet.  Thank you.

        

        James 

    


    
        ------------------------------------------------------------------------------

        Want fast and easy access to all the code in your enterprise? Index and

        search up to 200,000 lines of code with a free copy of Black Duck

        Code Sight - the same software that powers the world's largest code

        search on Ohloh, the Black Duck Open Hub! Try it now.

        http://p.sf.net/sfu/bds
    


    
        _______________________________________________

        Snort-users mailing list

        Snort-users () lists sourceforge net

        Go to this URL to change user options or unsubscribe:

        https://lists.sourceforge.net/lists/listinfo/snort-users

        Snort-users list archive:

        http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

        

        Please visit http://blog.snort.org to stay current on all the latest Snort news!
    


------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!




Well I'll be....yep as soon as I added -s it works like a champ...that doesn't make sense.  Hey Joel would we consider 
this a bug?   To recap:



output alert_syslog: LOG_AUTH LOG_ALERT



the above works without -s



output alert_syslog: host=192.168.1.1:514, LOG_AUTH LOG_ALERT



the above requires -s



Thank you...and thanks Stephen....good to see someone from my alma mater on the list 



James 

I certainly did not know/test this. Thanks.
YM
 


------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!