Trying to understand what rsyslogd does
 

Hi,

I have installed Snort and Splunk on the same server.

Splunk is receiving syslog messages on UDP 514 from my router.

However, I am having problems getting Snort to send anything to Splunk.

In the guides I have seen, it entails enabling Rsyslog. What does that do? They are both on the same machine, can't Snort just send to Splunk? Why the third party?

This syslog config for Snort is quite simple:
# syslog
# output alert_syslog: LOG_AUTH LOG_ALERT
output alert_syslog: host=192.168.0.251:514, LOG_AUTH LOG_ALERT

But the syslogs don't arrive at Splunk.

If I do load up rsyslog, Splunk stops receiving syslogs from my router.. I guess there is a conflict with 2 apps trying to listen on the same port.

It is possible to get rsyslog to work on TCP but I honestly don't know if it is sending or receiving.

Confused. Any explanation of how the puzzle fits together would be helpful.

Thanks!
seabro

if splunk is on the same box, then you'd just read snorts default local log files in most cases. rsyslog is (from what I understand) being used to bridge between locally logged syslog messages (through a syslog socket, not a network connection) to the generic network world. It does seem that snort can log directly though, so no, rsyslog shouldn't be required.

Splunk is paid software, and will delete anything after 500MB of logs IIRC. So don't use it in production unless you pay for it.

Graylog2 and ELK are free alternatives to Splunk, if you are interested.

wow, that's some odd, and unsolicited, hate for an excellent piece of software.

This is a forum. The idea is to chime in if you have something constructive to say. I don't have to be invited to a conversation.

I made no mention of 'hating' splunk.

I would appreciate it if you didn't attempt to put words in my mouth.