To configure syslog on an Open Source SNORT device:
About this task
The following procedure applies to a system that runs Red Hat Enterprise. The following
procedures can vary for other operating systems.
Procedure
-
Configure SNORT on a remote system.
-
Open the snort.conf file.
-
Uncomment the following line:
output alert_syslog:LOG_AUTH LOG_INFO
-
Save and exit the file.
-
Open the following file:
-
Add a -s to the following lines, as shown in the example:
daemon /usr/sbin/snort $ALERTMODE
$BINARY_LOG $NO PACKET_LOG $DUMP_APP -D
$PRINT_INTERFACE -i $i -s -u $USER -g
$GROUP $CONF -i $LOGIR/$i $PASS_FIRST
daemon /usr/sbin/snort $ALERTMODE
$BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D
$PRINT_INTERFACE $INTERFACE -s -u $USER -g
$GROUP $CONF -i $LOGDIR
-
Save and exit the file.
-
Restart SNORT by typing the following command:
/etc/init.d/snortd restart
-
Open the syslog.conf file.
-
Update the file to reflect the following code:
auth.info@<IP Address>
Where <IP Address> is the system to which you want logs sent.
-
Save and exit the file.
-
Restart syslog:
/etc/init.d/syslog restart
What to do next
You can now configure the log source in QRadar.