Problem
You want to log to a system logfile such as the messages file under Linux, so that you have a centralized logging facility.
Solution
Use the alert_syslog output plug-in in the /etc/snort.conf file.
output alert_syslog:
For example, to send an alert to the system log with a facility of LOG_DAEMON (log as a system daemon), a Priority of LOG_CRIT (critical conditions), and the option LOG_PERROR (print the log to standard error as well), you would use the following:
output alert_syslog: LOG_DAEMON LOG_CRIT LOG_PERROR
Discussion
Logging to the system logfiles is a useful way of monitoring all your systems simultaneously. Using some of the tools described in later chapters for the automated monitoring of logfiles, you can watch everything from disk usage to intrusion attempts, all in the same place. It also means that you can log to a central log host by forwarding all syslog calls to a central server.
Each set of options directly corresponds to those in the manpage for syslog (3) on Unix systems. For further detail, you should refer to these.
Facility is one of: LOG_AUTH, LOG_AUTHPRIV, LOG_DAEMON, LOG_USER, and LOG_LOCAL0 tHRough LOG_LOCAL7.
Priority is one of: LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_ERR, LOG_WARNING, LOG_NOTICE, LOG_INFO, and LOG_DEBUG.
Finally, there are the options: LOG_CONS, LOG_NDELAY, LOG_PERROR, and LOG_PID.
See Also
syslog (3) manpage
Snort Users Manual
Fast Logging |
Installing Snort from Source on Unix
Logging to a File Quickly
How to Build Rules
Detecting Stateless Attacks and Stream Reassembly
Managing Snort Sensors
Generating Statistical Output from Snort Logs
Monitoring Network Performance
Index