• Support
  • Forums
  • Blogs

Snare - Logs show up in Syslog but not the SIEM GUI

demonstrativedemonstrative

Entry Level
edited February 2014 in AlienVault USM Appliance > Sensor
Hi guys,

I've installed Snare using the documentation available. I've checked to make sure that the device is sending to the correct IP and all of that.

The events are being sent to the Sensor and I can see them in syslog, but they don't show up in the SIEM. Any ideas?

I'm actually seeing some logs go through but they come up with the following error "ossec: Non standard syslog message (size too large)."
Tagged:

Share post:

Best Answers

  • Answer ✓
    Very the source= variable in snare.cfg maybe the plugin is looking into other place
  • Answer ✓
    edit file /var/ossec/rules/syslog_rules.xml, look for rule id 1003. change the maxsize as below

      <rule id="1003" level="13" maxsize="4096">
        <description>Non standard syslog message (size too large).</description>
      </rule>

    restart the ossec server
  • Answer ✓
    The approach going through OSSEC is valid, however, to get snare parsing the right stuff and logging to the right file.

    According to /etc/ossim/agent/plugins/snare.cfg the default location for the snare plugin to look for logs is /var/log/snare.log.

    I would recommend to filter the incoming snare logs to log to /var/log/snare.log with a rsyslog filter like this in e.g. /etc/rsyslog.d/snare.conf

    ### snare 
    if $rawmsg contains 'MSWinEventLog' then /var/log/snare.log
    & ~

    Please also create a logrotate entry for /var/log/snare.log, are you familiar with that?

Answers

  • edited February 2014
    alexg said:
    The approach going through OSSEC is valid, however, to get snare parsing the right stuff and logging to the right file.

    According to /etc/ossim/agent/plugins/snare.cfg the default location for the snare plugin to look for logs is /var/log/snare.log.

    I would recommend to filter the incoming snare logs to log to /var/log/snare.log with a rsyslog filter like this in e.g. /etc/rsyslog.d/snare.conf

    ### snare 
    if $rawmsg contains 'MSWinEventLog' then /var/log/snare.log
    & ~

    Please also create a logrotate entry for /var/log/snare.log, are you familiar with that?
    Sorry I'm pretty new to all of this. What's the purpose of logrotation?

    Also big thanks to everyone who's answered. Turns out the problem was as Alex and Gutzba had said, the snare.cfg was pointing to a different location. I've tested it out by directing it to syslog but will redo it with logrotation to snare.log.

    It's showing snare events now, however it does not show a Source Address. The log shows the host name which I assumed would show up as source but it's just showing up as 0.0.0.0. It appears this is solved by using specific logs for each plugin. :)
This discussion has been closed.