Saturday, May 7, 2011

Snort: Logging Alerts to Syslog Server

Life is so busy. It's been pretty long since my last post. Well coming to the post :) ...

We will get into configuration details of Syslog and Snort to log our alerts into Kiwi Syslog Server.

Add the following line to Snort configuration file
 output alert_syslog: host=, LOG_AUTH LOG_ALERT
Snort configuration file can be found at
In my case Snort is running on on eth1 and eth0 is assigned with IP which talks with Syslog Server.

Following command is used to run Snort
 snort -c /etc/snort/snort.conf -i eth1
-c    provide snort configuration file path
-i     interface on which Snort is sniffing the traffic

Output shown in above figure is seen when the Snort command is successful.

Modify syslog configuration file
by adding line
*.*                                                     @
where is the Syslog Server IP Address and UDP/514 is the port on which it is listening.
*.* says log all types of alerts.

To make sure that Syslog Server is running on UDP/514 port uncomment below lines in the configuration file
$UDPServerRun 514
Above lines are commented by default.

Once the modified configuration is saved restart the Syslog daemon
 /etc/rc.d/init.d/rsyslog restart

Make sure to stop firewall or add rule to allow traffic on UDP/514 port.

When we send malicious payload or replay PCAP with malicious traffic on the interface where snort is running, we can see alerts in our Kiwi Syslog Server which is installed on Windows XP machine (

Below is the Packet Capture format when Snort sends alerts to Syslog Server.

Refer Snort Manual and/or Snort FAQ for further details.

For Snort Preprocessors you can refer below link

Hope this will help someone somewhere.

Following articles might be of your interest

Enjoy :) !!!