You can configure LogRhythm to collect log information from a Snort IDS that uses Fast Alert logging. LogRhythm supports the Snort Fast Alert logging method that writes logs in a one-line-per-entry format. More verbose Snort logging methods are not supported.
To configure the collection of Snort IDS logs:
- Set up a system running the Linux operating system.
- Download and install the appropriate Snort IDS software.
- Configure Snort IDS according to the specifications of your network.
- Enable Fast Alert logging by entering the following line in the Snort IDS configuration file, under the section labeled Configure output plugins:
output alert_fast: <filename> where <filename> is the name of the file where logs such as alerts are written. The file is saved in the configured logging directory for Snort IDS.
- Update the Snort IDS rules with the newest rule set.
Create Log Processing Policies with the Snort Fast Alert File message source type, and enable the rules you wish to match against.
It is recommended that you enable all rules initially and tune the system according to site requirements later.
- Add a System Monitor Agent from the Client Console's Deployment Manager to be used for collection of Snort IDS.
- Add a Log Source to the System Monitor Agent record specifying the Snort Fast Alert File message source type and the previously created Log Processing (MPE) Policy.
- Install System Monitor Agents on the Linux Snort IDS host.
- In the Deployment Manager, open the Properties of the Snort IDS Log Source and access the Flat File Settings tab:
- Make sure the File Path is set to the same path and file set in the Snort IDS configuration.
- Make sure the Date Parsing Format is set to SnortFastAlert File.
- Start the System Monitor Agent and verify that LogRhythm is collecting log information with the Investigator or Tail options.