We will get into configuration details of Syslog and Snort to log our alerts into Kiwi Syslog Server.
Add the following line to Snort configuration file
output alert_syslog: host=172.16.232.161:514, LOG_AUTH LOG_ALERT
Snort configuration file can be found at
In my case Snort is running on 18.104.22.168 on eth1 and eth0 is assigned with 172.16.232.171 IP which talks with Syslog Server.
Following command is used to run Snort
snort -c /etc/snort/snort.conf -i eth1
-c provide snort configuration file path
-i interface on which Snort is sniffing the traffic
Modify syslog configuration file
by adding line
where 172.16.232.161 is the Syslog Server IP Address and UDP/514 is the port on which it is listening.
*.* says log all types of alerts.
To make sure that Syslog Server is running on UDP/514 port uncomment below lines in the configuration file
Above lines are commented by default.
Once the modified configuration is saved restart the Syslog daemon
Make sure to stop firewall or add rule to allow traffic on UDP/514 port.
When we send malicious payload or replay PCAP with malicious traffic on the interface where snort is running, we can see alerts in our Kiwi Syslog Server which is installed on Windows XP machine (172.16.232.161).
Below is the Packet Capture format when Snort sends alerts to Syslog Server.
Refer Snort Manual and/or Snort FAQ for further details.
For Snort Preprocessors you can refer below link
Hope this will help someone somewhere.
Following articles might be of your interest
Enjoy :) !!!