[syslog-ng] syslog-ng not relaying snort 2.6 events properly.

Balazs Scheidler bazsi at balabit.hu
Thu Nov 8 08:45:48 CET 2007


On Tue, 2007-11-06 at 11:09 -0500, Mike Fratto wrote:
> I have been playing with macros to ensure messages are reformatted to
> a consistent format. I am viewing the events on the wire using tcpdump
> on the syslog-ng relay. The first event comes from snort. The second
> event is sent from syslog-ng. Note the sent message is [|syslog].
> 
> This same macro (the syslog-ng.conf file is pasted below) works with
> other syslog sources. Any thoughts on what the problem is?
> 
> 10:39:29.810836 IP (tos 0x0, ttl 63, id 60806, offset 0, flags [DF],
> proto UDP (17), length 183) 192.168.14.13.syslog >
> 192.168.17.212.syslog: SYSLOG, length: 155
>         Facility local5 (21), Severity alert (1)
>         Msg: snort[433]: [1:466:5] ICMP L3retriever Ping
> [Classification: Attempted Information Leak] [Priority: 2]: <eth2>
> {ICMP} 192.168.17.220 -> 192.168.14.44\012
> 
> 10:39:29.810968 IP (tos 0x0, ttl 64, id 10591, offset 0, flags [DF],
> proto UDP (17), length 178) 192.168.17.212.32848 >
> 192.168.17.198.syslog: [|syslog]

This tcpdump is not enough as it does not contain the actual contents of
the packets.

Please use -xX which dumps packet contents in hex.

-- 
Bazsi



More information about the syslog-ng mailing list