Trying to understand what rsyslogd does
Hi,
I have installed Snort and Splunk on the same server. Splunk is receiving syslog messages on UDP 514 from my router. However, I am having problems getting Snort to send anything to Splunk. In the guides I have seen, it entails enabling Rsyslog. What does that do? They are both on the same machine, can't Snort just send to Splunk? Why the third party? This syslog config for Snort is quite simple: # syslog # output alert_syslog: LOG_AUTH LOG_ALERT output alert_syslog: host=192.168.0.251:514, LOG_AUTH LOG_ALERT But the syslogs don't arrive at Splunk. If I do load up rsyslog, Splunk stops receiving syslogs from my router.. I guess there is a conflict with 2 apps trying to listen on the same port. It is possible to get rsyslog to work on TCP but I honestly don't know if it is sending or receiving. Confused. Any explanation of how the puzzle fits together would be helpful. Thanks! seabro |
if splunk is on the same box, then you'd just read snorts default local log files in most cases. rsyslog is (from what I understand) being used to bridge between locally logged syslog messages (through a syslog socket, not a network connection) to the generic network world. It does seem that snort can log directly though, so no, rsyslog shouldn't be required.
|
Splunk is paid software, and will delete anything after 500MB of logs IIRC. So don't use it in production unless you pay for it.
Graylog2 and ELK are free alternatives to Splunk, if you are interested. |
wow, that's some odd, and unsolicited, hate for an excellent piece of software.
|
Quote:
Quote:
Quote:
|
All times are GMT -5. The time now is 08:57 AM. |