Snort installed on ubuntu not sending alerts to syslog
 

I have a Magento website setup on a linux machine that is based on a Bitnami ready-made image.

The main goal is to be notified by email whenever there might be a potential attack on the site.

To achieve that I decided to install Snort IDS and email the alerts coming to the syslog using Swatch.

I've installed snort by following this tutorial from Snort's official website.

I've just finished section 9 of that tutorial which means:

Installed all the perquisites.
Installed Snort IDS on the machine.
Setup a test rule to alert when ICMP requests (ping) occurs.
Next to allow Snort to log alerts to syslog I've uncommented this line in the snort.conf file: output alert_syslog: LOG_AUTH LOG_ALERT

I've tested the installation by running this command:

sudo /usr/local/bin/snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0
while Snort is running I've made a ping request from another system. I can see alerts registering in Snort's log file but nothing was added to the syslog.

Trail and errors:

1. Run snort as user root.
2. Set syslog to bounce logs to another server (remote syslog).

I don't have great deal of experience with linux so any help to point me to the right direction will be very much appreciated.

Some facts:

1. Bitnami Magento Stack 1.9.1.0-0
2. Ubuntu 14.04.3 LTS
3. Snort 2.9.7.5

First of all when you do receive the email (MTA or network outage, mailbox full etc, etc?) the event already happened, secondly if you're not close to or unable to use a computer or unable to log in (sleep, travel, weak cellular signal, low battery, wrong access lists, no SSH pubkey auth priv key on device) then the event has passed without action and when you finally access the machine you'd have to decipher the cryptic message Snort sent you and have enough relevant admin knowledge to know where to look. So that's why I'd say that's one of the most inefficient things to do. That said:


Couple of things:
0) always pre-flight test using "-T",
1) don't use "-q" during any tests,
2) ensure Syslog, Rsyslogd or Syslog-NG is configured to log any LOG_AUTH and LOG_ALERT,
3) remove the "-A console" and try again.


Then you should get it: check your Linux distribution of choice user, admin and security documentation. Please don't postpone it saying you "don't have the time" because when you finally do it'll be too late...

Its alive!!
 

Following unSpawn relay I've reviewed the rsyslog conf files and found that auth logs are sent to the auto.log file.
Which led to a quick fix of adding an additional .conf file to /etc/rsyslog.d with the content:

auth /var/log/syslog

Also as suggested I've made some changes to the snort execution command (omitting the -q -A console):

sudo /usr/local/bin/snort -u snort -g snort -c /etc/snort/snort.conf -i eth0

after restarting the rsyslog service I found the missing Snort alerts in syslog.

unSpawn thank you for pointing me to the right direction.

You're welcome, Please mark thread "solved", thanks.