Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Snort logs in Status -> System Logs -> Authentication -> General

    IDS/IPS
    2
    4
    171
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • NogBadTheBad
      NogBadTheBad last edited by

      Should they be here ?

      TBH I never really look in the Authentication -> General section and noticed them earlier today.

      Screenshot 2021-06-22 at 08.41.39.png

      Andy

      1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

      1 Reply Last reply Reply Quote 0
      • bmeeks
        bmeeks last edited by

        Does all Snort alerts syslog traffic get logged there, or just those particular rules alerts? You control the log level used by Snort when logging to syslog on the INTERFACE SETTINGS tab for the particular Snort interface.

        NogBadTheBad 1 Reply Last reply Reply Quote 0
        • NogBadTheBad
          NogBadTheBad @bmeeks last edited by NogBadTheBad

          @bmeeks All set to the defaults, apart from logging u2 VLAN events for the LAN.

          They also seem to be in Status -> System Logs -> System -> General, where I'd expect them to be.

          WAN:-

          Screenshot 2021-06-22 at 15.42.32.png

          LAN:-

          Screenshot 2021-06-22 at 15.43.24.png

          Andy

          1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

          1 Reply Last reply Reply Quote 0
          • bmeeks
            bmeeks last edited by

            The System Log Facility setting controls "where" the entries are logged. Or more accurately, what "tag" they are given in syslog. So with the default of LOG_AUTH, those alerts are going to be given that tag, so when filtering in pfSense's system log, they will show up that way. The "General" view in pfSense grabs everything (if I recall) regardless of the "tag" it was given when logged. But those other tabs do let you filter by the facility tag.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post