Logging to Multiple Locations

Problem

You want to log to a file and a database at the same time.

Solution

Use various output plug-ins such as the Snort output plug-ins in /etc/snort.conf:

output alert_syslog: LOG_AUTH LOG_ALERT output log_tcpdump: tcpdump.log output database: log, mysql, user=root password=test dbname=db host=localhost output alert_unified: filename snort.alert, limit 128 output log_unified: filename snort.log, limit 128

You may also use the Barnyard plug-ins in the /etc/barnyard.conf file:

output alert_fast /var/log/snort/fast_alert output log_dump /var/log/snort/dump_output output alert_csv: /var/log/snort/csv.out timestamp,msg,srcip, sport,dstip,dport,protoname,itype,icode output alert_syslog output log_pcap /var/log/snort/pcap_log

Discussion

You can log your Snort output to multiple locations by using multiple output plug-ins. These can be the standard Snort output plug-ins, as well as the Barnyard output utility plug-ins. For example, you can log fast alerts, CSV, and to a database all at the same time. The snort.conf file currently supports the syslog, TCPDump, database, and unified output plug-ins. Barnyard supports the fast alerts, ASCII log dump, CSV, syslog, pcap, ACID database, and SGUIL. However, the more ways you log, the more load it places on the Snort engine and the CPU. You must choose your hardware and operating system carefully when logging to multiple locations.

Using the Snort output plug-ins in the /etc/snort.conf file and the following examples, you can log to syslog:

output alert_syslog: LOG_AUTH LOG_ALERT

A TCPDump file:

output log_tcpdump: tcpdump.log

A database:

output database: log, mysql, user=root password=test dbname=db host=localhost

And unified logging:

output alert_unified: filename snort.alert, limit 128 output log_unified: filename snort.log, limit 128

The Barnyard output plug-ins can be configured in the /etc/barnyard.conf file using the following examples to log fast alerts with less information:

output alert_fast /var/log/snort/fast_alert

Output ASCII packet dumps:

output log_dump /var/log/snort/dump_output

Create a comma-separated value output file with various fields:

output alert_csv: /var/log/snort/csv.out timestamp,msg,srcip,sport,dstip,dport,protoname,itype,icode

Create syslog output:

output alert_syslog

And create pcap output:

output log_pcap /var/log/snort/pcap_log

See Also

Recipe 5.9