问题:
我一直snort在我的系统上进行配置,如果有任何警报,我希望从系统收到电子邮件。
我尝试过,swatch但找不到太多相关文档,只能找到非常基本且不完整的“操作方法网站”,而这个onnocenter.or.id/wik
systemd我使用并设置创建了一项服务swatch.conf,但它不起作用:
斯沃琪手表.服务:
1 [Unit]
2 Description=Monitor Logfiles and send Mail reports
3 After=syslog.target network.target
4
5 [Service]
6 Type=simple
7 ExecStart=/usr/bin/swatch --config-file=/home/kristjan/.swatchrc --input-record-separator="\n \n " --tail-file=/var/log/snort/alert --daemon
8 Restart=always
9 #--tail-file=/var/log/auth.log
10 #./swatch -c /usr/local/.swatchrc -input-record-separator="\n \n " -p="tail -f /var/log/snort/alert " -daemon
11 #-c This option specifies the location of the .swatchrc file.
12 #
13 #---input-record-separator With this command-line option you can specify the delimiting boundary for each alert. By default it is the newline character, \n.
14 #
15 #-p This option is used to read information outputted directly from a command. You can use it to monitor the output of a command for specific events.
16 #
17 #-t This option specifies the file to be monitored for security events.
18 #
19 #---daemon Append this switch to enable daemon mode.
20
21 [Install]
22 WantedBy=multi-user.target
.swatchrc:
1 watchfor /Priority \:1/
2 echo=normal
3 mail=myemailATTgmail.com, subject=Snort Security Alert!
4
5 watchfor /Priority \:2/
6 echo=normal
7 mail=mymailATTgmail.com, subject=Snort Security Alert!
8
9
我也看过,syslog-ng但同样我只发现了不完整的方法,而且看起来非常复杂。
眼镜:
我的系统是 Debian Stretch 9.8,snort来自存储库。我也在logwatch服务器上安装和配置了。
我在我的系统上发送邮件如下:
mail -s '"Subject: auth: FAILED su for root\n\n$_\n"' somethingATTgmail.com
问题:
snort我怎样才能从(你会怎么做?)获取邮件(我的服务器设置为发送电子邮件)通知?
在哪里snort记录警报(什么文件)?