NXLog can be used to capture and process logs from the Snort network intrusion prevention system.

Snort writes log entries to the /var/log/snort/alert file. Each entry contains the date and time of the event, the packet header, a description of the type of breach that was detected, and a severity rating. Each log entry traverses multiple lines, and there is neither a fixed number of lines nor a separator.

Example 1. Snort rules and log samples

Following are three example Snort rules and corresponding log messages.

Snort rule
alert icmp any any -> any any (msg:"ICMP Packet"; sid:477; rev:3;)
Snort log sample
[**] [1:477:3] ICMP Packet [**]
[Priority: 0]
04/30-07:54:41.759229 ->
ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:96 DF
Type:8  Code:0  ID:16348   Seq:0  ECHO
Snort rule
alert tcp any any -> any any (msg:"Exploit detected"; sid:1000001; content:"exploit";)
Snort log sample
[**] [1:1000001:0] Exploit detected [**]
[Priority: 0]
04/30-07:54:38.312536 ->
TCP TTL:64 TOS:0x0 ID:19844 IpLen:20 DgmLen:505 DF
***AP*** Seq: 0xF936BE12  Ack: 0x2C9A47D8  Win: 0x7B  TcpLen: 20
Snort rule
alert tcp any any -> any any (msg:"Advanced exploit detected"; \
sid:1000002; content:"backdoor"; reference:myserver,myrules; \
gid:1000001; rev:1; classtype:shellcode-detect; priority:100; \
metadata:meta data;)
Snort log sample
[**] [1000001:1000002:1] Advanced exploit detected [**]
[Classification: Executable Code was Detected] [Priority: 100]
04/30-07:54:35.707783 ->
TCP TTL:127 TOS:0x0 ID:14547 IpLen:20 DgmLen:435 DF
***AP*** Seq: 0x49649AA5  Ack: 0x5BC496C0  Win: 0x40  TcpLen: 20
[Xref => myserver myrules]
Example 2. Parsing Snort logs

This configuration uses an xm_multiline extension module instance with a HeaderLine regular expression to parse the log entries. An Exec directive is also used to drop all empty lines.

In the Input module instance, another regular expression captures the parts of the message and adds corresponding fields to the event record. Additional information could be extracted also, such as Xref data, by adding (.*)\s+(.*)\s+\[Xref => (.*)\] to the expression and then $Xref = $13; below it.

Finally, the log entries are formatted as JSON with the to_json() procedure.

<Extension snort>
    Module      xm_multiline
    HeaderLine  /^\[\*\*\] \[\S+] (.*) \[\*\*\]/
    Exec        if $raw_event =~ /^\s+$/ drop();

<Extension _json>
    Module      xm_json

<Input in>
    Module      im_file
    File        "/var/log/snort/alert"
    InputType   snort
        if $raw_event =~ /(?x)^\[\*\*\]\ \[\S+\]\ (.*)\ \[\*\*\]\s+
                          (?:\[Classification:\ ([^\]]+)\]\ )?
                          \[Priority:\ (\d+)\]\s+
                          \ (\d+.\d+.\d+.\d+):?(\d+)?\ ->
                          \ (\d+.\d+.\d+.\d+):?(\d+)?\s+\ /
            $EventName = $1;
            $Classification = $2;
            $Priority = $3;
            $EventTime = parsedate(year(now()) + "-" + $4 + "-" + $5 + " " + $6);
            $SourceIPAddress = $7;
            $SourcePort = $8;
            $DestinationIPAddress = $9;
            $DestinationPort = $10;

<Output out>
    Module      om_file
    File        "/var/log/nxlog_snort"
    Exec        to_json();
Output sample
  "EventReceivedTime": "2014-05-05 09:08:58",
  "SourceModuleName": "in",
  "SourceModuleType": "im_file",
  "EventName": "Advanced exploit detected",
  "Classification": "Executable Code was Detected",
  "Priority": "100",
  "EventTime": "2014-04-30 07:54:35",
  "SourceIPAddress": "",
  "SourcePort": "46117",
  "DestinationIPAddress": "",
  "DestinationPort": "80"

While we endeavor to keep the information in this topic up to date and correct, NXLog makes no representations or warranties of any kind, express or implied about the completeness, accuracy, reliability, suitability, or availability of the content represented here.

Last revision: 17 September 2018