I have Snort set up on CentOS6, configured to forward to a syslog server:

output alert_syslog: host=x.x.x.x:514, LOG_LOCAL7 LOG_INFO

rsyslog.conf

*.* @x.x.x.x:514

Where x.x.x.x is my syslog server

When I start Snort via the command line everything forwards fine to my syslog server

snort -c /etc/snort/snort.conf -i eth1

However, when I run /etc/init.d/snortd start my events don't forward to the syslog server.

I have tried disabling SELinux and no luck.

What am I missing?

Thanks.

I am not sure if you allow the relevant ports for this to work.If you were doing this without "Snort" then you would have to allow port 514 in iptables.Not sure what the port is for snort.

- Does Snort actually run from the SysV init script?
- Are the command lines the same?
- What does Snorts log file say?
- What does /var/log/audit/audit.log or /var/log/messages say?

After working on this further I discovered that I was seeing events from cron and the other parts of the system. I just am not seeing the local7 events from my test rule. I have been able to figure out that it appears to be something with the SYSLOG variable in /etc/sysconfig/snort. It is set to /var/log/messages. When I looked in this file I was seeing my events (even though I've got the syslog server specified in /etc/snort/snort.conf and /etc/rsyslog.conf). It's as though /etc/init.d/snortd is ignoring the syslog server variable I'm wanting to use. I also noticed that if I didn't put the -s switch in the /etc/init.d/snortd on the command that starts snort nothing is forwarded.

Thanks.

If you start Snort from the command line then you build the complete command line yourself. OTOH if you start Snort from its /etc/rc.d/init.d/snort init script it may take default values from that plus those added to /etc/sysconfig/snort (if any). It would be best to review settings in both files and compare the actual command line with how you would run it yourself.

I went through the /etc/sysconfig/snort file and matched what I was seeing when I issued the "ps -ef | grep snort". That's where I saw that it wasn't using the -s switch. I added that and then it was logging to the value for "SYSLOG" from /etc/sysconfig/snort instead of the values from /etc/snort/snort.conf and /etc/rsyslog.conf. It didn't seem to matter how I modified the command in /etc/sysconfig/snort so I just renamed the run scripts for snortd and added the commands I needed to rc.local since I had a timing issue with when eth1 was up and snort was trying to start. That appears to work.

Thanks for the reply.