On Tue, 2007-11-06 at 11:09 -0500, Mike Fratto wrote:
I have been playing with macros to ensure messages are reformatted to a consistent format. I am viewing the events on the wire using tcpdump on the syslog-ng relay. The first event comes from snort. The second event is sent from syslog-ng. Note the sent message is [|syslog].
This same macro (the syslog-ng.conf file is pasted below) works with other syslog sources. Any thoughts on what the problem is?
10:39:29.810836 IP (tos 0x0, ttl 63, id 60806, offset 0, flags [DF], proto UDP (17), length 183) 192.168.14.13.syslog > 192.168.17.212.syslog: SYSLOG, length: 155 Facility local5 (21), Severity alert (1) Msg: snort[433]: [1:466:5] ICMP L3retriever Ping [Classification: Attempted Information Leak] [Priority: 2]: <eth2> {ICMP} 192.168.17.220 -> 192.168.14.44\012
10:39:29.810968 IP (tos 0x0, ttl 64, id 10591, offset 0, flags [DF], proto UDP (17), length 178) 192.168.17.212.32848 > 192.168.17.198.syslog: [|syslog]
This tcpdump is not enough as it does not contain the actual contents of the packets. Please use -xX which dumps packet contents in hex. -- Bazsi