3 Replies Latest reply on Jul 8, 2015 3:06 PM by nicole pauls

    SourceFire connector

    barrycuda72

      I am configuring our SourceFire 3ds system to forward syslog information to LEM.

      The default facility in SourceFire is alert, the LEM connector by default has a path of /var/log/alert.log

      When I perform a checklog command on the appliance there is no alert log listed in the available files.  Does this get created on its own somehow?

      Can you create your own?  Or do you just change the facility and log path to match one of the log locations listed.

       

      thanks

        • Re: SourceFire connector
          nicole pauls

          You probably need to find the right the log path. "alert" isn't a facility, it's a priority, so I think you're missing the other half - it's most likely one of the local facilities, or something like user.log.

           

          if it's something you're syslogging, though, you might be able to press the "Scan for New Nodes" button and go from there. If enough messages have been sent it should be able to auto-configure.

            • Re: SourceFire connector
              barrycuda72

              In the sourcefire admin console for configuring syslog "alert" is a facility option, there is an option for priority as well 2 separate items and "alert" is an option for both.  That being said I can choose from a list of other facilities like Local0

              are the log directories that are listed via the checklogs command the only ones I can use?  It seems odd that the connector would by default reference a log path that does not exist.

                • Re: SourceFire connector
                  nicole pauls

                  It's possible the default path was written for a different scenario, like running the connector on a linux agent. Or, maybe we just carried over the wrong default from the snort connector. Hard to say.

                   

                  There is no alert.log on the LEM appliance, though, for sure (I checked). Using something like local0 will make it super easy to configure (/var/log/local0.log).

                  1 of 1 people found this helpful