This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

SourceFire connector

I am configuring our SourceFire 3ds system to forward syslog information to LEM.

The default facility in SourceFire is alert, the LEM connector by default has a path of /var/log/alert.log

When I perform a checklog command on the appliance there is no alert log listed in the available files.  Does this get created on its own somehow?

Can you create your own?  Or do you just change the facility and log path to match one of the log locations listed.

thanks

  • FormerMember
    0 FormerMember

    You probably need to find the right the log path. "alert" isn't a facility, it's a priority, so I think you're missing the other half - it's most likely one of the local facilities, or something like user.log.

    if it's something you're syslogging, though, you might be able to press the "Scan for New Nodes" button and go from there. If enough messages have been sent it should be able to auto-configure.

  • In the sourcefire admin console for configuring syslog "alert" is a facility option, there is an option for priority as well 2 separate items and "alert" is an option for both.  That being said I can choose from a list of other facilities like Local0

    are the log directories that are listed via the checklogs command the only ones I can use?  It seems odd that the connector would by default reference a log path that does not exist.

  • FormerMember
    0 FormerMember in reply to barrycuda72

    It's possible the default path was written for a different scenario, like running the connector on a linux agent. Or, maybe we just carried over the wrong default from the snort connector. Hard to say. emoticons_wink.png

    There is no alert.log on the LEM appliance, though, for sure (I checked). Using something like local0 will make it super easy to configure (/var/log/local0.log).