Https://papertrailapp.com/ or a free cloud syslog for WAN Barnyard2

hamdy.aea

I would like to know if it's possible to use a free syslog server like https://papertrailapp.com/ for WAN Barnyard2 ? If it's possible, how to configure it ?

bmeeks

You can configure Barnyard2 to output data to a remote syslog server.  On the BARNYARD tab for the Snort interface, click the option to send logs to a syslog server.  Additional input elements will then appear where you can specify the IP address or host name for the remote server as well as the port and the facility and severity levels.

Bill

hamdy.aea

WAN Barnyard2 don't start and i have this log :

Barnyard2 spooler: Event cache size set to [8192]
Jan 04 19:06:14 178.83. barnyard2: Log directory = /var/log/snort/snort_re041684
Jan 04 19:06:14 178.83. barnyard2: using operation_mode: default
Jan 04 19:06:18 178.83. barnyard2: FATAL ERROR: could not resolve address[logs3.papertrailapp.com:21749]
Jan 04 19:06:18 178.83. barnyard2: Barnyard2 exiting
Jan 04 19:06:18 178.83. barnyard2: ===============================================================================

Jan 04 19:06:18 178.83. php-fpm: /snort/snort_interfaces.php: The command '/usr/pbi/snort-amd64/bin/barnyard2 -r 41684 -f "snort_41684_re0.u2" –pid-path /var/run --nolock-pidfile -c /usr/pbi/snort-amd64/etc/snort/snort_41684_re0/barnyard2.conf -d /var/log/snort/snort_re041684 -D -q' returned exit code '1', the output was ''

bmeeks

@hamdy.aea:

WAN Barnyard2 don't start and i have this log :

Barnyard2 spooler: Event cache size set to [8192]
Jan 04 19:06:14 178.83. barnyard2: Log directory = /var/log/snort/snort_re041684
Jan 04 19:06:14 178.83. barnyard2: using operation_mode: default
Jan 04 19:06:18 178.83. barnyard2: FATAL ERROR: could not resolve address[logs3.papertrailapp.com:21749]
Jan 04 19:06:18 178.83. barnyard2: Barnyard2 exiting
Jan 04 19:06:18 178.83. barnyard2: ===============================================================================

Jan 04 19:06:18 178.83. php-fpm: /snort/snort_interfaces.php: The command '/usr/pbi/snort-amd64/bin/barnyard2 -r 41684 -f "snort_41684_re0.u2" –pid-path /var/run --nolock-pidfile -c /usr/pbi/snort-amd64/etc/snort/snort_41684_re0/barnyard2.conf -d /var/log/snort/snort_re041684 -D -q' returned exit code '1', the output was ''

Don't add the port at the end of the URL.  Barnyard does not know how to decode that.  I don't have access to my firewall at the moment to verify, but I was thinking there is a separate box for port selection in the syslog settings on the BARNYARD page.  I may be wrong, though.  If there is no specific port setting box on the GUI page, then only the standard syslog port will work.

Bill

hamdy.aea

I tried to put only the adresse and i have change de port from 514 to the pappetrailapp port and I have opened this port in firewall and it doesn't work. I want to try again.