I have a Magento website setup on a linux machine that is based on a Bitnami ready-made image.
To achieve that I decided to install Snort IDS and email the alerts coming to the syslog using Swatch.
I've installed snort by following this tutorial from Snort's official website.
I've just finished section 9 of that tutorial which means:
Next to allow Snort to log alerts to syslog I've uncommented this line in the snort.conf file: output alert_syslog: LOG_AUTH LOG_ALERT
I've tested the installation by running this command:
sudo /usr/local/bin/snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0
while Snort is running I've made a ping request from another system. I can see alerts registering in Snort's log file but nothing was added to the syslog.
Trail and errors:
Run snort as user root.
Set syslog to bounce logs to another server (remote syslog).
I don't have great deal of experience with linux so any help to point me to the right direction will be very much appreciated.
Some facts:
I've posted this question on linuxquestions.org aswell and got an answer.
Following unSpawn reply I've reviewed the rsyslog conf files and found that auth logs are sent to the auto.log file. Which led to a quick fix of adding an additional .conf file to /etc/rsyslog.d with the content:
auth /var/log/syslog
Also as suggested I've made some changes to the snort execution command (omitting the -q -A console):
sudo /usr/local/bin/snort -u snort -g snort -c /etc/snort/snort.conf -i eth0
after restarting the rsyslog service I found the missing Snort alerts in syslog.