Snort installed on ubuntu not sending alerts to syslog
I have a Magento website setup on a linux machine that is based on a Bitnami ready-made image.
The main goal is to be notified by email whenever there might be a potential attack on the site. To achieve that I decided to install Snort IDS and email the alerts coming to the syslog using Swatch. I've installed snort by following this tutorial from Snort's official website. I've just finished section 9 of that tutorial which means: Installed all the perquisites. Installed Snort IDS on the machine. Setup a test rule to alert when ICMP requests (ping) occurs. Next to allow Snort to log alerts to syslog I've uncommented this line in the snort.conf file: output alert_syslog: LOG_AUTH LOG_ALERT I've tested the installation by running this command: sudo /usr/local/bin/snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 while Snort is running I've made a ping request from another system. I can see alerts registering in Snort's log file but nothing was added to the syslog. Trail and errors: 1. Run snort as user root. 2. Set syslog to bounce logs to another server (remote syslog). I don't have great deal of experience with linux so any help to point me to the right direction will be very much appreciated. Some facts:
|
Quote:
Quote:
0) always pre-flight test using "-T", 1) don't use "-q" during any tests, 2) ensure Syslog, Rsyslogd or Syslog-NG is configured to log any LOG_AUTH and LOG_ALERT, 3) remove the "-A console" and try again. Quote:
|
Its alive!!
Following unSpawn relay I've reviewed the rsyslog conf files and found that auth logs are sent to the auto.log file.
Which led to a quick fix of adding an additional .conf file to /etc/rsyslog.d with the content: auth /var/log/syslog Also as suggested I've made some changes to the snort execution command (omitting the -q -A console): sudo /usr/local/bin/snort -u snort -g snort -c /etc/snort/snort.conf -i eth0 after restarting the rsyslog service I found the missing Snort alerts in syslog. unSpawn thank you for pointing me to the right direction. |
You're welcome, Please mark thread "solved", thanks.
|
All times are GMT -5. The time now is 12:11 PM. |