[syslog-ng] syslog-ng not relaying snort 2.6 events properly.
Mike Fratto
mfratto at gmail.com
Tue Nov 6 17:09:33 CET 2007
I have been playing with macros to ensure messages are reformatted to
a consistent format. I am viewing the events on the wire using tcpdump
on the syslog-ng relay. The first event comes from snort. The second
event is sent from syslog-ng. Note the sent message is [|syslog].
This same macro (the syslog-ng.conf file is pasted below) works with
other syslog sources. Any thoughts on what the problem is?
10:39:29.810836 IP (tos 0x0, ttl 63, id 60806, offset 0, flags [DF],
proto UDP (17), length 183) 192.168.14.13.syslog >
192.168.17.212.syslog: SYSLOG, length: 155
Facility local5 (21), Severity alert (1)
Msg: snort[433]: [1:466:5] ICMP L3retriever Ping
[Classification: Attempted Information Leak] [Priority: 2]: <eth2>
{ICMP} 192.168.17.220 -> 192.168.14.44\012
10:39:29.810968 IP (tos 0x0, ttl 64, id 10591, offset 0, flags [DF],
proto UDP (17), length 178) 192.168.17.212.32848 >
192.168.17.198.syslog: [|syslog]
# Options
options {
chain_hostnames(no);
keep_hostname(no);
use_time_recvd(no);
};
# network syslog listener
source s_udp {
udp();
unix-stream("/dev/log");
};
# Strip headers because syslog-ng wants to add them
template strip_header {
template("$MSG\n");
template_escape(no);
};
#hosts that should have headers stripped
filter strip_header_hosts {
host("192.168.14.5")or
host("example") or
host("example.com") or
host("mail.example.com") or
host("mail") or
host("192.168.14.13") or
host("snort") or
host("snort.example.com")
;
};
destination d_test {udp("192.168.17.198"); };
destination d_strip_test {udp("192.168.17.198" template (strip_header)); };
log {
source(s_udp);
filter(strip_header_hosts);
destination(d_strip_test);
flags(final);
};
log {
source(s_udp);
destination(d_test);
flags(final);
};
More information about the syslog-ng
mailing list