pantz.org banner
Sending Snort logs to a remote log server
Posted on 10-24-2008 21:14:54 UTC | Updated on 10-24-2008 21:48:19 UTC
Section: /software/snort/ | Permanent Link

I had a weird problem with snort recently. I downloaded the Red Hat 5 rpm from snort.org and installed it on a CentOS 5 machine. It installed fine and I looked over the config files in /etc/sysconfig/snort and /etc/snort/snort.conf. I changed what I needed for my configuration adding a line to the snort.conf file to set an output alert to send to the local syslog machine. Then restarted snort.

This is what the line in the /etc/snort/snort.conf file looks like.

output alert_syslog: LOG_LOCAL5 LOG_ALERT

That line sends alerts to the syslog log facility on LOCAL5. To finish the remote syslog setup on the snort machine you just need to add a line to the same machines /etc/syslog.conf file so it will send those logs sent to LOCAL5 to the remote loghost. That line looks like this.

local5.* @loghost.domain.lan

Restart the syslogd service. The last thing you need to do to get the messages from the snort machine to the loghost issetup the local5 log facility in the loghosts /etc/syslog.conf. That line will look like the following.

local5.* /var/log/snort

After putting in that line restart syslogd and the alerts from snort should start going to the /var/log/snort file. That is what is supposed to happen. I started a tail -f /var/log/snort on the file and I was getting nothing. I rechecked my setup and it looked correct. After pouring through the syslog on the snort machine I found an interesting message in the snort startup output.

command line overrides rules file alert plugin!

The default variables used during snort startup where overriding the output plugins! Sure enough I checked the snort faq and it said "Using "-A" or "-s" will override any database logging configuration". This also seems to be true for syslog logging as well. By default the rpm snort.org gives out sets -A which overrides the output logging config. What a pain! So to fix this you can set the alert mode to blank in the /etc/sysconfig/snort file. So it looks like the following.

ALERTMODE=

Doing this will keep the -A from being used on startup. After blanking this and restaring snort the messages started flowing.

Del.icio.us! | Digg Me! | Reddit!

Related stories


RSS Feed RSS feed logo
About


3com
3ware
alsa
alsactl
alsamixer
amd
android
apache
areca
arm
ati
auditd
awk
badblocks
bash
bind
bios
bonnie
cable
carp
cat5
cdrom
cellphone
centos
chart
chrome
cifs
cisco
cloudera
comcast
commands
comodo
compiz-fusion
corsair
cpufreq
cpufrequtils
cpuspeed
cron
crontab
crossover
cu
cups
cvs
database
dbus
dd
dd_rescue
ddclient
debian
decimal
dhclient
dhcp
diagnostic
diskexplorer
disks
dkim
dns
dos
dovecot
drac
dsniff
dvdauthor
e-mail
echo
editor
emerald
ethernet
expect
ext3
ext4
fat32
fedora
fetchmail
fiber
filesystems
firefox
firewall
flac
flexlm
floppy
flowtools
fonts
format
freebsd
ftp
gdm
gmail
gnome
greasemonkey
greylisting
growisofs
grub
hacking
hadoop
harddrive
hba
hex
hfsc
html
html5
http
https
idl
ie
ilo
intel
ios
iperf
ipmi
iptables
ipv6
irix
javascript
kde
kernel
kickstart
kmail
kprinter
krecord
kubuntu
kvm
lame
ldap
linux
logfile
lp
lpq
lpr
maradns
matlab
memory
mencoder
mhdd
mkinitrd
mkisofs
moinmoin
motherboard
mouse
movemail
mplayer
multitail
mutt
myodbc
mysql
mythtv
nagios
nameserver
netflix
netflow
nginx
nic
ntfs
ntp
nvidia
odbc
openbsd
openntpd
openoffice
openssh
openssl
openvpn
opteron
parted
partimage
patch
perl
pf
pfflowd
pfsync
photorec
php
pop3
pop3s
ports
postfix
power
procmail
proftpd
proxy
pulseaudio
putty
pxe
python
qemu
r-studio
raid
recovery
redhat
router
rpc
rsync
ruby
saltstack
samba
schedule
screen
scsi
seagate
seatools
sed
sendmail
sgi
shell
siw
smtp
snort
solaris
soundcard
sox
spam
spamd
spf
sql
sqlite
squid
srs
ssh
ssh.com
ssl
su
subnet
subversion
sudo
sun
supermicro
switches
symbols
syslinux
syslog
systemrescuecd
t1
tcpip
tcpwrappers
telnet
terminal
testdisk
tftp
thttpd
thunderbird
timezone
ting
tls
tools
tr
trac
tuning
tunnel
ubuntu
unbound
vi
vpn
wget
wiki
windows
windowsxp
wireless
wpa_supplicant
x
xauth
xfree86
xfs
xinearama
xmms
youtube
zdump
zeromq
zic
zlib