Snort Syslog question

  • Version  1.2.3-RELEASE
    built on Sun Dec 6 23:21:36 EST 2009

    Services: Snort 2.8.6 pkg v. 1.26

    Device - VMware

    Question on Snort Syslog.  I know that the FAQ says the Barnyard feature is not done yet, and that snort stores its logs in /var/log/snort/snort_sys_0ng0 according to the FAQ.

    My question is if there is a way to currently output the snort alerts to the Syslog (not barnyard).    My desire is to use the Snort frontend IDS on a mirrored port to gather the snort data and then output that as a syslog to another device which sorts/parses/etc the Syslog data for the snort information to include with other network data in statistical reports and such.

    I've currently enabled "Send alerts to main System logs - Snort will send Alerts to the Pfsense system logs." on the interface settings, and I'm generating alerts internally in PFsense (accessible through the 'alerts' tab) but nothing is outputting to the Syslog on PFsense and therefor my remote server isn't picking up snort data either.

    Logging works in PFsense otherwise, and reports normal PFsense functions and package reloads and all that fun stuff.  Remote syslog picks up the normal stuff from PFsense, just not the Snort data.

    Otherwise, everything runs great on Snort, no errors or anything.

    And yes, I know my method of snort>otherserver is not really the best method, but it is what I have right now so I'm trying to make it work :)

Log in to reply