Off load Snort logs to local log server?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Off load Snort logs to local log server?

yngpfy
This post was updated on .
Gents,

New to the forum and just wanted to tip my hats to the outstanding work that is being accomplished here post Itus.  I was pretty bummed out to see the company go under and really believe in the concept.  I just recently updated (via Hans instructions) both of my Shields to v1.51 SP1.   Due to work constraints I actually had to set these to the side for a while but now I have some time to work on tweaking it a little.  

My question is has anyone fooled around with any type of log shipping of your snort logs to a local log server?   I have a Synology NAS with a Log server and would love to ship the snort logs over prior to them being deleted.   I have set the log size to 64k but any guidance on how to set this up via a cron job or scheduled task would be great.   I am reaching out to the forum since my main concentration is windows and although i have a basic understanding there is no way for me to get the syntax correct on my own.  Note this will be a password protected place where the logs will dump so i will need the syntax for the authentication (less actual UN/PWD :-)) as well if possible.  Thanks to all in advance for any assistance!

UPDATE:

I found this blog that outline how to do this..
http://blog.disects.com/2011/05/snort-logging-alerts-to-syslog-server.html

This is how my logs are currently configured on the shield
************
output alert_fast: alert.fast 64k
# output log_tcpdump: tcpdump.log
************
Can i add the below text (Ips are fake obviously) to ship the logs over the a syslog server concurrently?

output alert_syslog: host=172.16.232.161:514, LOG_AUTH LOG_ALERT

Thoughts?
-yngpfy
Reply | Threaded
Open this post in threaded view
|

Re: Off load Snort logs to local log server?

user8446
Administrator
I've never tried it but I found this that might be some help:

http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node21.html

Also if it's of any interest to you in the old forum there is a script for using pushbullet with the shield.

Running in bridge mode, 1.51 SP1 fw
Reply | Threaded
Open this post in threaded view
|

Re: Off load Snort logs to local log server?

yngpfy
thanks i will give this a try.   Do we have a copy of the old forums posted here?
Reply | Threaded
Open this post in threaded view
|

Re: Off load Snort logs to local log server?

Hans
Administrator
yngpfy wrote
thanks i will give this a try.   Do we have a copy of the old forums posted here?
Not here directly. Here is the offline copy (made by Breda) on dropbox: https://www.dropbox.com/s/tiinfpf40hnadyj/packetinspector.org.zip?dl=1

Using Shield Pro v1, Chaos Calmer, FW 1.51 SP1, Bridge Mode

2nd Shield as Sandbox, Chaos Calmer, FW 1.51 SP1 + hotfixes