Ubuntu – Snort not sending alert log file to syslog server


I am set up with three virtual machines running Ubuntu – a Server, Client, and Gateway. I am tasked with setting up Snort on the Gateway to monitor "attacks" from the Client to the Server. Snort is supposed to send the log files to a rsyslog server that I have set up on the Server. I am having trouble getting these logs to send.

In the snort.conf file, I set up:

output alert_syslog: LOG_AUTH LOG_ALERT

I flushed my iptables and opened everything for testing purposes (nmap reveals 514 is indeed open). I edited the rsyslog.conf file on the Gateway and added:

*.* @

On the rsyslog.conf file on the Server, I added:

*.* /var/log/snort.log

And uncommented the following in both:

$ModLoad imudp.so
$UDPServerRun 514

When I run (eth2 = Client):

snort -A console -i eth2 -c /etc/snort/snort.conf

And ping the Server from the Client (I have a Snort rule to capture ICMP), a log file gets created on the Gateway in /var/log/snort/snort.log.xxxxxxxxxx. Nothing shows up on the Server though. Watching packets on Wireshark, I get two Syslog messages when I start Snort and two more when I exit (^C). The AUTHPRIV.INFO just says "session open for user root" and "session closed for user root":

enter image description here

For the record, I was attempting to follow this tutorial here:


Anyone have any idea what's going on?

Thanks for any advice.

Best Answer

I'd say that if the syslog messages about sessions opening and closing are getting through, then rsyslog is presumably doing its thing at both ends (but confirm it by sending to syslog on the gateway using logger). Also, the fact that the log file gets created on the gateway suggests that the log messages are being mishandled on the gateway, rather than later in the chain process.

I'd be looking to confirm that snort is in fact sending UDP to syslog. Do you have the expected packets on port 514, presumably on the loopback interface of the gateway?

It looks like you could just circumvent the local syslog, and go directly to the server host:

output alert_syslog: host=, LOG_AUTH LOG_ALERT

If that doesn't appeal, what happens if you explicitly send the snort output to localhost:514? Or to a different IP on that host.

Are there firewall issues that might block the packets to port 514 on the gateway?

You did restart snort to pick up the new configuration? It is reading the configuration file you think it is? (Try specifying that explicitly with -c, and/or confirming that's part of the command-line you see with ps).

(At some point, you'll want to limit what gets filed as snort messages, but that's not what you're currently stuck on).

Related Topic