We will get into configuration details of Syslog and Snort to log our alerts into Kiwi Syslog Server.
Add the following line to Snort configuration file
output alert_syslog: host=172.16.232.161:514, LOG_AUTH LOG_ALERT
Snort configuration file can be found at
In my case Snort is running on 188.8.131.52 on eth1 and eth0 is assigned with 172.16.232.171 IP which talks with Syslog Server.
Following command is used to run Snort
snort -c /etc/snort/snort.conf -i eth1
-c provide snort configuration file path
-i interface on which Snort is sniffing the traffic
Modify syslog configuration file
by adding line
where 172.16.232.161 is the Syslog Server IP Address and UDP/514 is the port on which it is listening.
*.* says log all types of alerts.
To make sure that Syslog Server is running on UDP/514 port uncomment below lines in the configuration file
Above lines are commented by default.
Once the modified configuration is saved restart the Syslog daemon
Make sure to stop firewall or add rule to allow traffic on UDP/514 port.
When we send malicious payload or replay PCAP with malicious traffic on the interface where snort is running, we can see alerts in our Kiwi Syslog Server which is installed on Windows XP machine (172.16.232.161).
Below is the Packet Capture format when Snort sends alerts to Syslog Server.
Refer Snort Manual and/or Snort FAQ for further details.
For Snort Preprocessors you can refer below link
Hope this will help someone somewhere.
Following articles might be of your interest
Enjoy :) !!!
Simple how to and works great, thanks for the lesson.ReplyDelete
tahnks for the commentsReplyDelete
Hi Praveen ,ReplyDelete
I am very new to snort. DO you have any simple document to follow to install Snort on linux to send the logs to external logger like splunk.
hi rajan....what is splunk? you need to configure output plugin accordingly in snort.conf file.ReplyDelete
Installation document can be found at
under "snort setup guides" section.
Queries are most welcome.
Praveen, can you please convert your explanation into figure.ReplyDelete
Because I am following everything each and every word you have explained here. But still I am not able to see snort logs at remote server where I am running syslogd with following option : "syslogd -m 0 -r".
Find more details :
192.168.0.89 : snort running here with "output alert_syslog: LOG_AUTH LOG_ALERT"
syslogd has *.* @192.168.0.103
192.168.0.103 : this is my remote server to catch snort logs
192.168.0.103: here I am running "syslogd -m 0 -r"
Where I am doing wrong?
You forgot binding port with IP Address e.g.
syslogd is running on TCP or UDP port?? Configure accordingly.
Make sure you are able to ping from client to server and vice versa. Allow port on Firewall.
hello is it possible to have logs saved locally?ReplyDelete
You can have two output plugins......one for syslog one for local file system or Data Base (DB) etc
Thanks for the response, Praveen! Just another quick one, do you know how I can enable the -s switch in the snortd file so that my daemons start logging automatically?ReplyDelete
I don't have snort installed right now n' last used was sep'2012....."-k -A -N" switches will automatically log to screen.....i may be wrong
I am very new to snort.can u show where to put the host ip in the rsyslog.conf ??ReplyDelete
Nice post with great details. I like it.ReplyDelete
emergency alert software
Hello, i want to ask..ReplyDelete
kiwi syslog server can be run on linux OS?
@silver stein, i don't think you have Kiwi syslog server on Linux, by the way linuc by default comes with syslog just u need to enable the serviceReplyDelete
okay, i'll tryDelete
Most of the time I don’t make comments on websites, but I'd like to say that this article really forced me to do so. Really nice post! שרת וירטואליReplyDelete
Thanks for taking the time to discuss this, I feel strongly about it and love learning more on this topic. traktor szállítás Europa-Road KftReplyDelete