Sending Snort output to the screen or to standard log files is fine for testing purposes, to be able to monitor and analyze alerts and other output Snort produces typically requires additional processing and presentation. One way to facilitate monitoring Snort output is to direct it to a system log (syslog) server so that an analyst can monitor Snort activity using a syslog viewer. Syslog is a common component in many Unix and Linux environments, but is not typically found on Windows, as these operating systems tend to rely on built-in Windows event, system, and security logs. Several syslog servers are available to run on Windows, including several free products. The key steps for setting up a syslog server are the same for most basic syslog products: install the syslog server, configure it to listen for syslog event traffic, and start the server so that it receives Snort output.
Before installing a syslog server, you need to download an installer package. There are many options available, including several free or open-source projects such as the Syslog Server available for download from Sourceforge at http://sourceforge.net/projects/syslog-server/. The instructions below refer to the Syslog Server tool, but most others work in a very similar manner.
Syslog is a relatively simple protocol. It uses UDP to send messages from any program or system that generates syslog output to the syslog server. By default syslog uses port 514 (on Linux or Windows platforms). In real-world deployments, the syslog server typically runs on a different computer than the programs sending output to it, but in the current scenario both Snort and syslog run on the same host. The syslog server default address is therefore 127.0.0.1, the localhost address. The address and port are not strictly required in this situation, but for clarity we will include them in snort.conf.
The -s option in the Snort startup command directs output to syslog, using the settings in the snort.conf file. Without outputting to screen, no activity will appear in the command shell window where Snort is running, but as alerts occur they will appear in the syslog viewer, as illustrated in the screenshot below (showing Syslog Server). Note that until Snort or some other program on the system is generating syslog output, there may not be a host listed for 127.0.0.1. It is recommended that you start the syslog server first, then start Snort.