Transport Snort Logs with Syslog-ng

Question

I have been working with Snort IDS and I have successfully managed to generate some test logs. The problem I am facing has to do with their format(alert_fast). Some example logs are provided below.

07/23-20:08:56.631567 [] [1:2002911:4] ET SCAN Potential VNC Scan 5900-5920 [] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 10.42.42.253:58606 -> 10.42.42.25:5906

07/23-20:08:56.685455 [] [1:2010937:2] ET POLICY Suspicious inbound to mySQL port 3306 [] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.42.42.253:40328 -> 10.42.42.56:3306

Syslog-ng appends some sort of header to it giving:

Jul 23 20:08:56 SOME_IP 07/23-20:08:56.685455 [] [1:2010937:2] ET POLICY Suspicious inbound to mySQL port 3306 [] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.42.42.253:40328 -> 10.42.42.56:3306

I need a way to get rid of that initial data. I tried using destination d_file { file(“/var/log/file.log” template(“$MSG\n”)); }; but then it yields:

08:56.685455 [] [1:2010937:2] ET POLICY Suspicious inbound to mySQL port 3306 [] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.42.42.253:40328 -> 10.42.42.56:3306

As you can see some of the original log is also removed.

Please note that I want to avoid changing to a different Snort log format at all costs. Surely there must be some way to fix this?

score 0 · Answer 1 · answered Jul 24 '14 at 07:38

syslog-ng is appending a syslog header to the messages because they do not seem to be well-formatted syslog messages, and syslog-ng does not parse them correctly.

Try to use a separate source for these messages, and set the flags(no-parse) option for the source. Then the template(“$MSG\n”) in your destination should give you the result you want.

Regards,

Robert Fekete

score 0 · Answer 2 · answered Jul 24 '14 at 18:22

Thanks for responding Robert. Unfortunately I already had flags(no-parse) as part of my original setup. Here's what fixed it:

template my_template {
     template("$MSGHDR$MSG\n");
     template_escape(no);
};

...
destination some_name {
     file("/var/log/snort/alert" template(my_template));
};

Transport Snort Logs with Syslog-ng

2 Answers2