How to send Snort alert logs to Graylog without Barnyard2?

  • Barnyard2 is outdated and poorly supported, it simply can't do the job.

    Is there another way to to achieve this?

    Thanks in advance,

    Karel Van Hecke.

  • Snort3, once it arrives in production form, offers JSON logging options that will work better than the old Unified2 logging. There are some implementations out there today using an ELK stack to grab Snort logs. You can search around on Google for some examples.

    You are correct that Barnyard2 is really almost dead. I've seen no development work on it in several years, and it has some serious MySQL database interface bugs after the last update it did receive several years back.

  • @bmeeks In the meantime I am simply sending Snort alerts to the general pfSense log and forward them that way.

  • The best method i've found around this is to edit the rule attached to the interface.

    Alert Settings
    āœ“ "Send Alerts to System Log Snort will send Alerts to the firewall's system log."

    then on the pfsense interface head into :
    Status >System> Logs>Settings

    Remote Logging Options
    āœ“ Enable Remote Logging Send log messages to remote syslog server.

    although in my opinion this isn't particularly secure in comparison to TCP with TLS

  • I use filebeat for this (with Suricata JSON logs -- but you could do this with
    the snort alerts.log just as easily).

    My filebeat.yml:

    #------------------------- File prospectors --------------------------------
      - input_type: log
        - /var/log/suricata/*/eve.json*
        fields_under_root: true
          type: "suricataIDPS"
          tags: ["SuricataIDPS","JSON"]
    #----------------------------- Logstash output --------------------------------
      hosts: ["x.x.x.x:5044"]
    #---------------------------- filebeat logging -------------------------------
     logging.to_files: true
       path: /var/log/filebeat
       name: filebeat.log
       keepfiles: 30