Logging to System Logfiles

Problem

You want to log to a system logfile such as the messages file under Linux, so that you have a centralized logging facility.

Solution

Use the alert_syslog output plug-in in the /etc/snort.conf file.

output alert_syslog:

For example, to send an alert to the system log with a facility of LOG_DAEMON (log as a system daemon), a Priority of LOG_CRIT (critical conditions), and the option LOG_PERROR (print the log to standard error as well), you would use the following:

output alert_syslog: LOG_DAEMON LOG_CRIT LOG_PERROR

 

Discussion

Logging to the system logfiles is a useful way of monitoring all your systems simultaneously. Using some of the tools described in later chapters for the automated monitoring of logfiles, you can watch everything from disk usage to intrusion attempts, all in the same place. It also means that you can log to a central log host by forwarding all syslog calls to a central server.

Each set of options directly corresponds to those in the manpage for syslog (3) on Unix systems. For further detail, you should refer to these.

Facility is one of: LOG_AUTH, LOG_AUTHPRIV, LOG_DAEMON, LOG_USER, and LOG_LOCAL0 tHRough LOG_LOCAL7.

Priority is one of: LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_ERR, LOG_WARNING, LOG_NOTICE, LOG_INFO, and LOG_DEBUG.

Finally, there are the options: LOG_CONS, LOG_NDELAY, LOG_PERROR, and LOG_PID.

See Also

syslog (3) manpage

Snort Users Manual

Fast Logging

Категории