I forgot to add this in snort.conf: output alert_fast: alert This is needed because otherwise snort wouldn't log to /var/log/snort/alert anymore.
Kind regards On Tuesday 10 June 2008 12:45:09 Thomas Wouters wrote: > Greetings, > > I've been looking for a way to report snort IDS logs to a remote syslog > server. > The documentation states that "Currently not every service is able to use > syslog. Therefore some can only write down to log files and cannot log to a > remote syslog server. Services which currently cannot use syslog are: all > sort of HTTP services (administration web server, HTTP proxy, HTTP content > filter, HAVP), FTP proxy, IDS (snort)." but I really needed it, so I tried > to figure out how to enable this any way. > > So, after a bit of research I've been able to get it to work. > > All I had to do was add a rule to /etc/syslog.conf stating that the logs > should go to a remote hosts: > *.* @192.168.1.2 > > and remove the "-A fast" option in /usr/local/bin/restartsnort.py > > In /etc/snort/snort.conf I added the following rule: > output alert_syslog: LOG AUTH LOG_ALERT > > I thought I should share this with you, just so you know... > > I hope this helps someone out, some day. > > Kind regards ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Efw-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/efw-user
