Skip to content

Installing a Windows Intrusion Detection System (WinIDS) Companion add-on

  1. Logging Events to a Local Syslog Server
    Windows 10 / 11 / 2016 SE / 2019 SE / 2022 SE / 2025 SE
    Last Date Revised: May 12, 2026
    Written by: Michael E. Steele

    Get Community Support!  ➜
    Introduction
    This tutorial provides the basic instructions on how to log events to a local Syslog Server running on the Windows Intrusion Detection System (WinIDS).

    Copyright Notice
    This document is Copyright © 2003-2026 Michael Steele. All rights reserved. Permission to distribute this document is hereby granted providing that distribution is electronic, no money is involved, and this copyright notice is maintained. Other requests for distribution will be considered.

    Use the information in this document at your own risk. Michael Steele disavows any potential liability of this document. Use of the concepts, examples, and/or other content of this document is entirely at your own risk.

    This guide is written in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose.

    All copyrights are owned by their owners, unless specifically noted otherwise. Third-party trademarks or brand names are the property of their owners. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements.

    Support Questions and Help
    All support questions related to this specific tutorial MUST be directed to the specific forum in which this Windows Intrusion Detection System (WinIDS) tutorial resides!

    By request, a premium fee service is available for one-on-one support.

    If you have not acquired this tutorial directly from the winsnort.com website, then you most likely do not have the latest revision of this tutorial!
    How to use this guide
    This installation is based on the installer being logged on with 'Administrator' privileges for the entire installation.

    The Windows Intrusion Detection System (WinIDS) will fail if the default installation path is not implemented correctly!
    The default installation path noted above is hard-coded into this tutorial and is also hard-coded into some of the install scripts. Installers will need to make the appropriate changes in both places if the default installation path is anything other than 'd:\winids', or if the support files are located anywhere other than the 'd:\temp' folder.

    The Windows Intrusion Detection System (WinIDS) will fail if the default installation path is not implemented correctly! Requires an existing Windows Intrusion Detection System (WinIDS) using one of the tutorials, either a standalone Windows Intrusion Detection System (WinIDS) or a remote Windows Intrusion Detection System (WinIDS). It is important when asked to 'Open a CMD window with Administrator privileges' that it is done, or the install will fail.

    It is also important when asked to 'Close a CMD window' that it is done, or the install will fail.

    Note: The user installing this tutorial MUST be a member of the Administrators group.

    Note: If the User Account Control dialog box appears at ANY time during this install, ALWAYS left-click 'Yes' to continue, or the install will fail.

    Instructions on starting a command prompt as an Administrator

    In the Windows Search box, type cmd, and then press CTRL+SHIFT+ENTER.

    Prepping for the Windows Intrusion Detection System (WinIDS) Tutorial

    Downloading the Visual Syslog Server software on the local Windows Intrusion Detection System (WinIDS)
    It is imperative to only use the files downloaded from the URL links below. All the files have been verified as compatible with this particular Windows Intrusion Detection System (WinIDS) tutorial. All the files below will need to be downloaded into the folder (d:\temp) that was created when the files from the above 'WinIDS - Software Support Pack' were extracted. Visual Syslog Server for Windows: Download and save the file to the d:\temp folder.

    Installing the Visual Syslog Server software on the local Windows Intrusion Detection System (WinIDS)
    Open a CMD window with Administrator privileges and type 'd:\temp\visualsyslog_setup.exe' (without the outside quotes), and tap the 'Enter' key.

    The 'Welcome to the Visual Syslog Server Setup Wizard' starts. Left-click 'Next'.

    The 'Select Destination Location' screen opens. In the change destination location dialog box, type 'd:\winids\visualsyslog' (without the outside quotes), and left-click 'Next'.

    The 'Select Start Menu Folder' screen appears. Left-click 'Next'.

    The 'Select Additional Tasks' screen appears. Left-click 'Next' to add an exception to the firewall opening port 514.

    The 'Ready to install' screen appears. Left-click 'Install', allowing the install to complete.

    The 'Completing the Visual Syslog Server Setup Wizard' screen appears. Left-click 'Finish' to complete the install.

    Configuring the Visual Syslog Server software on the local Windows Intrusion Detection System (WinIDS)
    The Visual Syslog Server application should have automatically started.

    In the upper-left side, left-click the 'Setup' icon, and the 'Setup' window appears.

    Left-click the 'Main' tab.

    In the 'UDP Syslog server' section, under 'UDP listener interface port', left-click the pull-down menu and select the IP address of the local Syslog Server. The default port should already be populated with 514.

    In the 'TCP Syslog server' section, under 'TCP listener interface port', left-click the pull-down menu and select the IP address of the local Syslog Server. The default port should already be populated with 514.

    Left-click 'OK' to close the setup configuration window, and exit the Visual Syslog Server application.

    The Visual Syslog Server will continue to run in the system taskbar as a Windows service.
    Testing for an open listening port on the local Syslog Server
    From the Windows Intrusion Detection System (WinIDS), go to the 'You Get Signal' website. The local IP address should already be populated in the 'Remote Address' dialog box. In the 'Port Number' dialog box, type 514, and left-click 'Check'.

    *** If the above response is CLOSED, then do not proceed until the status is OPEN. ***
    Configuring the Windows Intrusion Detection System (WinIDS) for Local Syslog logging

    Configuring Snort to include Syslog logging
    At the CMD prompt, type 'notepad2 d:\winids\snort\etc\snort.conf' (without the outside quotes), and tap the 'Enter' key.

    Use Find in Notepad2 to locate and change the variables below. Original Line(s): # output alert_syslog: LOG_AUTH LOG_ALERT
    Change to: output alert_syslog: host=SYSLOG_SVR_IP_ADDR:PORT, LOG_AUTH LOG_ALERT

    Make SURE the SYSLOG_SVR_IP_ADDR above reflects the IP Address of the local Syslog server, and the PORT above reflects the listening port of the local Syslog Server. Now save the file and exit Notepad2.

    Testing the Snort configuration file
    At the CMD prompt, type 'd:\winids\snort\bin\snort -W' (without the outside quotes), and tap the 'Enter' key.

    The following is a partial example of what might be listed as valid Network Interface Cards.
    Index Physical Address IP Address ----- ---------------- ---------- 1 00:0C:29:25:B4:96 0000:0000:fe80:0000:0000:0000:ad63:31cf In the above list, the 'Index' number is important and will need to be remembered for later use in this tutorial. There may be several Network Interface Cards listed, and it will be up to the installer to determine the correct Network Interface Card (Index number) that will be monitoring the Windows Intrusion Detection System (WinIDS).

    The switch for the Network Interface Card will always be '-ix' (without the outside quotes), and the 'x' (without the outside quotes) will always represent the 'Index' number of the Network Interface Card that will be monitoring the Windows Intrusion Detection System (WinIDS). At the CMD prompt, type 'd:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix -T' (without the outside quotes), and tap the 'Enter' key.

    The above run line will require the 'Index' number of the monitoring Network Interface Card added to the 'x' above.

    This will start Snort in self-test mode for configuration and rule file testing. Depending on the resources used and/or available, it could take several minutes to run the self-test mode.

    If all the tests are passed, the following is a confirmation that the Snort configuration file and rules have tested successfully.
    Snort successfully validated the configuration! Snort exiting Do not proceed until 'Snort successfully validated the configuration!'
    Configuring the Snort service run line for the Syslog Server logging
    At the CMD prompt, type 'net stop snort' (without the outside quotes), and tap the 'Enter' key.

    At the CMD prompt, type 'cd /d d:\winids\snort\bin' (without the outside quotes), and tap the 'Enter' key.

    At the CMD prompt, type 'snort /SERVICE /SHOW' (without the outside quotes), and tap the 'Enter' key.

    The output display will be the full run line that Snort uses at startup, and might look like the following: Snort is currently configured to run as a Windows service using the following command-line parameters: -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -i1 At the CMD prompt, type 'snort /SERVICE /UNINSTALL' (without the outside quotes), and tap the 'Enter' key.

    The following is a confirmation that the Snort service was successfully removed from the services database. [SNORT_SERVICE] Attempting to uninstall the Snort service. [SNORT_SERVICE] Successfully removed registry keys from: \HKEY_LOCAL_MACHINE\SOFTWARE\Snort\ [SNORT_SERVICE] Successfully removed the Snort service from the Services database. The new Snort auto-start configuration line needs to be added that contains the switch to turn on the option to log all events to the Syslog Server.

    The Snort run line that should be entered below should be exactly what was displayed when the snort /SERVICE /SHOW command was run previously, except adding '-s' (without the outside quotes) to the end. At the CMD prompt, type 'snort /SERVICE /INSTALL -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -i1 -s' (without the outside quotes), and tap the 'Enter' key.

    The following is a confirmation that the Snort service was successfully added to the services database. [SNORT_SERVICE] Attempting to install the Snort service. [SNORT_SERVICE] The full path to the Snort binary appears to be: D:\winids\snort\bin\snort /SERVICE [SNORT_SERVICE] Successfully added registry keys to: \HKEY_LOCAL_MACHINE\SOFTWARE\Snort\ [SNORT_SERVICE] Successfully added the Snort service to the Services database. At the CMD prompt, type 'sc config snortsvc start= auto' (without the outside quotes), and tap the 'Enter' key.

    The following is a confirmation that the Snort auto-start service has been successfully activated. [SC] ChangeServiceConfig SUCCESS At the CMD prompt, type 'net start snort' (without the outside quotes), and tap the 'Enter' key.

    At the CMD prompt, type 'exit' (without the outside quotes), and tap the 'Enter' key.

    In Conclusion
    At this point, it could take several minutes before seeing events arrive in the local Syslog Server.

    Optional Companion Documents
    Be SURE to check out the available 'Companion Add-on Documents' to enhance the Windows Intrusion Detection System (WinIDS) experience. How to add Event Logging to a local Syslog Server.
    This tutorial will show how to configure Snort to send events to a local Syslog Server on an existing Windows Intrusion Detection System (WinIDS). How to add Event Logging to a remote Syslog Server.
    This tutorial will show how to configure Snort to send events to a remote Syslog Server from an existing Windows Intrusion Detection System (WinIDS). How to add Email Alerting to an existing Windows Intrusion Detection System (WinIDS)
    This tutorial will show how to email user-defined priority events on an existing Windows Intrusion Detection System (WinIDS). How to schedule automatic rules updating
    This tutorial is a simple-to-understand process on how to schedule automatic rules updating. How to compile Barnyard2 on Windows using Cygwin
    This tutorial is a simple-to-understand, step-by-step guide for compiling Barnyard2 on Windows using Cygwin (UNIX emulator). How to build and deploy a passive Ethernet tap
    This tutorial will show how to build and deploy a passive Ethernet tap.
    Updating the Windows Intrusion Detection System (WinIDS) Major components
    How to update the Snort Intrusion Detection Engine
    This tutorial will show how to update the Snort Intrusion Detection Engine. How to update the Windows Intrusion Detection System rules
    This tutorial will show how to update the Windows Intrusion Detection System rules.
    Debugging Installation errors
    Check the Event Viewer, as most of the support programs will throw FATAL errors into the Windows Application log.

    General tutorial issues
    For general problem issues that pertain to this specific tutorial, left-click the 'Get Community Support' button at the top of this tutorial, or manually navigate to the correct community support forum pertaining to this specific tutorial.

    Feedback
    I would love to get feedback from you about this tutorial. For any recommendations or ideas, please leave feedback HERE.

    Michael E. Steele | Microsoft Certified Systems Engineer (MCSE)
    Email Support: support@winsnort.com
    Snort: Open Source Network IDS - www.snort.org
    • 4,494 views
    Updated
  2. Installing Event Email Alerting into an existing WinIDS
    Windows 10 / 11 / 2016 SE / 2019 SE / 2022 SE / 2025 SE
    Last Date Revised: May 12, 2026
    Written by: Michael E. Steele

    Get Community Support!  ➜
    Introduction
    This tutorial provides the basic instructions on how to add priority email event alerting to all existing Windows Intrusion Detection Systems (WinIDS).

    Copyright Notice
    This document is Copyright © 2003-2026 Michael Steele. All rights reserved. Permission to distribute this document is hereby granted providing that distribution is electronic, no money is involved, and this copyright notice is maintained. Other requests for distribution will be considered.

    Use the information in this document at your own risk. Michael Steele disavows any potential liability of this document. Use of the concepts, examples, and/or other content of this document is entirely at your own risk.

    This guide is written in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose.

    All copyrights are owned by their owners, unless specifically noted otherwise. Third-party trademarks or brand names are the property of their owners. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements.

    Support Questions and Help
    All support questions related to this specific tutorial MUST be directed to the specific forum in which this Windows Intrusion Detection System (WinIDS) tutorial resides!

    By request, a premium fee service is available for one-on-one support.

    If you have not acquired this tutorial directly from the winsnort.com website, then you most likely do not have the latest revision of this tutorial!
    How to use this guide
    The Windows Intrusion Detection System (WinIDS) will fail if the default installation path is not implemented correctly!
    The default installation path noted above is hard-coded into this tutorial and is also hard-coded into some of the install scripts. Installers will need to make the appropriate changes in both places if the default installation path is anything other than 'd:\winids', or the support files are located anywhere other than the 'd:\temp' folder.

    The Windows Intrusion Detection System (WinIDS) will fail if the default installation path is not implemented correctly!
    It is important when asked to 'Open a CMD window with Administrator privileges' that it is done, or the install will fail.

    It is also important when asked to 'Close a CMD window' that it is done, or the install will fail.

    Note: The user installing this tutorial MUST be a member of the Administrators group.

    Note: If the User Account Control dialog box appears at ANY time during this install, ALWAYS left-click 'Yes' to continue, or the install will fail.

    Instructions on starting a command prompt as an Administrator

    In the Windows Search box, type cmd, and then press CTRL+SHIFT+ENTER.
    Mandatory prerequisites
    Access to a VALID outgoing SMTP server from the Windows Intrusion Detection System (WinIDS). A Master or Slave Windows Intrusion Detection System (WinIDS) has been installed. The files from the original Windows Intrusion Detection System (WinIDS) tutorial may be required for this tutorial. Installation will use the default path or paths as directed in the guide. Your paths may be different, so be sure to replace the paths we used with the paths you used.

    Prepping for the Windows Intrusion Detection System (WinIDS) Tutorial

    Downloading and extracting the WinIDS Companion Software Development Pack
    It is imperative to only use the files included in the 'WinIDS Companion Software Development Pack' below. These files have been thoroughly tested and are compatible with this particular Windows Intrusion Detection System (WinIDS) tutorial. /data/images/dload.png Download and save the 'WinIDS Companion Software Development Pack' to a temporary location.

    Open File Explorer and navigate to the location of the 'winids-csdp.zip' file. Right-click the 'winids-csdp.zip' file, highlight and left-click 'Extract all...'. In the 'Files will be extracted to this folder:' dialog box, type 'd:\temp' (without the outside quotes). Left-click and uncheck the 'Show extracted files when complete' radio box. Left-click 'Extract'. In the 'Password:' dialog box, type 'w1nsn03t.c0m' (without the outside quotes). Left-click 'OK', and exit File Explorer.

    How to add Email Alerting to an existing Windows Intrusion Detection System (WinIDS)

    Installing and Configuring EventWatchNT
    In File Explorer, navigate to the 'd:\temp' folder, right-click the 'eventwatchnt_v233.exe' file, and left-click 'Run as administrator'.

    The 'WinZip Self-Extractor' starts. In the 'Unzip to folder:' dialog box, type 'd:\winids\eventwatchnt', and left-click 'Unzip'. A confirmation window opens stating 'x file(s) unzipped successfully'. Left-click 'OK', and left-click 'Close' to exit the 'WinZip Self-Extractor'.

    In File Explorer, navigate to the 'd:\winids\eventwatchnt' folder, right-click the 'eventwatchnt.exe' file, and left-click 'Run as administrator'.

    If this is the first run, left-click 'I Agree' at the 'License Agreement for EventwatchNT' screen. The EventwatchNT Configuration wizard starts with some dialog boxes filled in. In the 'Sender Name:' dialog box, type the name of the WinIDS.

    In the next configuration, you will enter the actual domainname.com of this sensor. When you receive an Email Alert, this will be the originating address of the event. In the 'Sender Email Address:' dialog box, type 'eventwatch@yourdomain.com' (without the outside quotes).

    In the 'Recipients:' dialog box, type the email address where the events will be sent.

    In the 'SMTP Server:' dialog box, type the name or IP of the VALID outgoing SMTP server.

    Logged events have a priority range from 1 to 3. One (1) being the highest priority and three (3) being the lowest priority event. This section of the documentation will walk you through setting up the IDS for sending events based on the highest priority event. In the 'Email Subject:' field, type 'WinIDS Priority 1 Alert!' (without the outside quotes).

    In the 'Filter(s):' dialog box, type (including the brackets [ ] and must be typed exactly) '[Priority: 1]' (without the outside quotes).

    In the 'Type:' select box, choose 'Include'.

    At this point, you should be able to click the 'Test' button and send a test message to the 'Sender Email Address' that was selected above. In the 'Event logs to monitor' select box, only 'Application' needs to be ticked.

    In the 'Events to report' select box, only 'WARNING' needs to be ticked.

    In the 'Options' select box, only 'HTML Email' needs to be ticked.

    In the 'Installation' select box, left-click the 'Install' button.

    In the 'Service Control' select box, left-click the 'Start' button.

    Click the 'OK' button at the top right to exit the EventwatchNT application.

    Exit File Explorer.

    Open a CMD window with Administrator privileges and type 'eventvwr' (without the outside quotes), and tap the 'Enter' key.

    Expand 'Windows Logs', right-click 'Application', select 'Properties', and tick 'Overwrite events as needed'. Left-click the 'Apply' button, left-click 'OK', and exit the Event Viewer.

    Configuring the Snort Detection Engine for Application logging
    At the CMD prompt, type 'notepad2 d:\winids\snort\etc\snort.conf' (without the outside quotes), and tap the 'Enter' key.

    Use the Find tool in Notepad2 to locate and change the variables below. Original Line(s): # output alert_syslog: LOG_AUTH LOG_ALERT
    Change to: output alert_syslog: LOG_AUTH LOG_INFO

    Save the file and exit Notepad2.

    Testing the Snort configuration file
    At the CMD prompt, type 'd:\winids\snort\bin\snort -W' (without the outside quotes), and tap the 'Enter' key.

    The following is a partial example of what might be listed as valid Network Interface Cards.
    Index Physical Address IP Address ----- ---------------- ---------- 1 00:0C:29:25:B4:96 0000:0000:fe80:0000:0000:0000:ad63:31cf In the above list, the 'Index' number is important and will need to be remembered for later use in this tutorial. There may be several Network Interface Cards listed, and it will be up to the installer to determine the correct Network Interface Card (Index number) that will be monitoring the Windows Intrusion Detection System (WinIDS).

    The switch for the Network Interface Card will always be '-ix' (without the outside quotes), and the 'x' (without the outside quotes) will always represent the 'Index' number of the Network Interface Card that will be monitoring the Windows Intrusion Detection System (WinIDS). At the CMD prompt, type 'd:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix -T' (without the outside quotes), and tap the 'Enter' key.

    The above run line will require the 'Index' number of the monitoring Network Interface Card added to the 'x' above.

    This will start Snort in self-test mode for configuration and rule file testing. Depending on the resources used and/or available, it could take several minutes to run the self-test mode.

    If all the tests are passed, the following is a confirmation that the Snort configuration file and rules have tested successfully.
    Snort successfully validated the configuration! Snort exiting Do not proceed until 'Snort successfully validated the configuration!' At the CMD prompt, type 'shutdown -r -t 01' (without the outside quotes), and tap the 'Enter' key to reboot.

    After the system is rebooted, Barnyard2 will be running in a minimized window located in the Windows taskbar. It could take several minutes for Barnyard2 to initialize and start shuttling triggered events to the database. If everything is working correctly, all events with a '[Priority: 1]' (without the outside quotes) should be emailed to the specified account.
    In Conclusion
    Congratulations! You have just completed setting up the Windows Intrusion Detection System (WinIDS) to send out emails based on Priority-1 events.

    At this point, you are done with this tutorial. All events should be arriving into the Windows Application log in Event Viewer, and you should be receiving email alerts based on Priority-1 events. If no emails are being received, check the Application Log in the Event Viewer to verify the existence of any Priority-1 events.

    An example of what the events should look like in the email: ________________________________________ EVENT # : 2310 EVENTLOG : Application EVENT TYPE: WARNING (2) SOURCE : snort EVENT ID : 1 TIME : 3/4/2019 11:26:59 PM MESSAGE : [1:16282:4] PUA-P2P Bittorrent uTP peer request [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 220.86.45.46:7388 -> 192.168.1.3:18318 ________________________________________
    Optional Companion Documents
    Be SURE to check out the available 'Companion Add-on Documents' to enhance the Windows Intrusion Detection System (WinIDS) experience. How to add Event Logging to a local Syslog Server.
    This tutorial will show how to configure Snort to send events to a local Syslog Server on an existing Windows Intrusion Detection System (WinIDS). How to add Event Logging to a remote Syslog Server.
    This tutorial will show how to configure Snort to send events to a remote Syslog Server from an existing Windows Intrusion Detection System (WinIDS). How to add Email Alerting to an existing Windows Intrusion Detection System (WinIDS)
    This tutorial will show how to email user-defined priority events on an existing Windows Intrusion Detection System (WinIDS). How to schedule automatic rules updating
    This tutorial is a simple-to-understand process on how to schedule automatic rules updating. How to compile Barnyard2 on Windows using Cygwin
    This tutorial is a simple-to-understand, step-by-step guide for compiling Barnyard2 on Windows using Cygwin (UNIX emulator). How to build and deploy a passive Ethernet tap
    This tutorial will show how to build and deploy a passive Ethernet tap.
    Updating the Windows Intrusion Detection System (WinIDS) Major components
    How to update the Snort Intrusion Detection Engine
    This tutorial will show how to update the Snort Intrusion Detection Engine. How to update the Windows Intrusion Detection System rules
    This tutorial will show how to update the Windows Intrusion Detection System rules.
    Debugging Installation errors
    Check the Event Viewer, as most of the support programs will throw FATAL errors into the Windows Application log.

    General tutorial issues
    For general problem issues that pertain to this specific tutorial, left-click the 'Get Community Support' button at the top of this tutorial, or manually navigate to the correct community support forum pertaining to this specific tutorial.

    Feedback
    I would love to get feedback from you about this tutorial. For any recommendations or ideas, please leave feedback HERE.

    Michael E. Steele | Microsoft Certified Systems Engineer (MCSE)
    Email Support: support@winsnort.com
    Snort: Open Source Network IDS - www.snort.org
    • 5,103 views
    Updated
  3. Compiling Barnyard2 on Windows using the Cygwin UNIX emulator
    Windows 10 / 11 / 2016 SE / 2019 SE / 2022 SE / 2025 SE
    Last Date Revised: May 12, 2026
    Written by: Michael E. Steele

    Get Community Support!  ➜
    Introduction
    Barnyard2 will not compile on a 32-bit operating system using this tutorial! This tutorial provides the basic instructions on how to compile Barnyard2 on Windows using the Cygwin UNIX emulator for MySQL/PostgreSQL database support.

    Copyright Notice
    This document is Copyright © 2003-2026 Michael Steele. All rights reserved. Permission to distribute this document is hereby granted providing that distribution is electronic, no money is involved, and this copyright notice is maintained. Other requests for distribution will be considered.

    Use the information in this document at your own risk. Michael Steele disavows any potential liability of this document. Use of the concepts, examples, and/or other content of this document is entirely at your own risk.

    This guide is written in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose.

    All copyrights are owned by their owners, unless specifically noted otherwise. Third-party trademarks or brand names are the property of their owners. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements.

    Support Questions and Help
    All support questions related to this specific tutorial MUST be directed to the specific forum in which this Windows Intrusion Detection System (WinIDS) tutorial resides!

    By request, a premium fee service is available for one-on-one support.

    If you have not acquired this tutorial directly from the winsnort.com website, then you most likely do not have the latest revision of this tutorial!
    How to use this guide
    It is important when asked to 'Open a CMD window with Administrator privileges' that it is done, or the install will fail.

    It is also important when asked to 'Close a CMD window' that it is done, or the install will fail.

    Note: The user installing this tutorial MUST be a member of the Administrators group.

    Note: If the User Account Control dialog box appears at ANY time during this install, ALWAYS left-click 'Yes' to continue, or the install will fail.

    Instructions on starting a command prompt as an Administrator

    In the Windows Search box, type cmd, and then press CTRL+SHIFT+ENTER.
    Operating System and Configuration Setup
    Using any 64-bit version of Windows with the latest service pack installed will suffice to compile Barnyard2.

    This tutorial provides two options for compiling Barnyard2 on Windows using the Cygwin UNIX emulator. It supports automatically or manually compiling Barnyard2 for either the PostgreSQL or the MySQL database.

    1) There is a scripted process that, if set up properly, will automatically compile Barnyard2 into an executable.

    The scripted process isn't anything fancy. It compiles Barnyard2, leaving the assimilated and compressed 'Barnyard2' file in the root of drive 'd:\'.

    2) The option to manually do a step-by-step compile is also available.

    The manual install will give the installer some basic understanding of how the Unix environment works, as it uses Cygwin, which is a Unix-like environment and command-line interface for Microsoft Windows.

    This tutorial will run on ANY modern 64-bit Microsoft Windows operating system and comes assimilated with all the necessary files to compile Barnyard2 on Windows. This tutorial and the automated script both deal with hard-coded paths.

    Prepping for the Windows Intrusion Detection System (WinIDS) Tutorial

    Downloading and extracting the 'WinIDS - Barnyard2 Software Development Pack'
    It is imperative to only use the files included in the 'WinIDS - Barnyard2 Software Development Pack' below. These files have been thoroughly tested and found compatible with all the supported Windows Intrusion Detection Systems (WinIDS) tutorials. Download The 'WinIDS - Barnyard2 Software Development Pack' to a temporary location.

    Open File Explorer and navigate to the location of the 'winids-b2sdp.zip' file. Right-click the 'winids-b2sdp.zip' file, highlight and left-click 'Extract all...'. In the 'Files will be extracted to this folder:' dialog box, type 'd:\by2temp' (without the outside quotes). Left-click and uncheck the 'Show extracted files when complete' check box. Left-click 'Extract'. In the 'Password:' dialog box, type 'w1nsn03t.c0m' (without the outside quotes). Left-click 'OK', and exit File Explorer.

    Downloading additional and required support files for all supported databases
    It is imperative to only use the files downloaded from the URL links below. The files have been verified as compatible with this particular Windows Intrusion Detection System (WinIDS) tutorial. There are two database options below, so pick the appropriate application file, and download it into the folder (d:\by2temp) that was created when the files from the above 'WinIDS - Barnyard2 Software Development Pack' were extracted. MySQL 8.0.46: Download and save the file to the d:\by2temp folder.

    PostgreSQL 18.3: Download and save the file to the d:\by2temp folder.

    How to compile Barnyard2 on Windows using the Cygwin UNIX emulator for MySQL/PostgreSQL database support

    The automated process for compiling Barnyard2 on Windows using the Cygwin UNIX emulator
    Note: For the automated process, it doesn't matter what version is dropped in. The smart detection will detect the version and process. If it only detects the MySQL source code file, it will compile for MySQL only If it only detects the PostgreSQL source code file, it will compile for PostgreSQL only If it detects both MySQL and PostgreSQL source code files, it will compile for both If multiple versions of the same source code are present, the smart detection will abort. Open a CMD window with Administrator privileges, type 'cd /d d:\by2temp' (without the outside quotes), and tap the 'Enter' key.

    At the CMD prompt, type 'powershell -NoProfile -ExecutionPolicy Bypass -NoExit -File "Compile-Barnyard2.ps1"' (without the outside quotes), tap the 'Enter' key, and make your choice.

    Note: It may take from 10 to 60 minutes for the automated process to complete, depending on the resources (RAM/CPU) available and which option was selected. This tutorial can now be closed. Follow any instructions coming from the script!
    The manual process for compiling Barnyard2 on Windows using the Cygwin UNIX emulator
    Installing Cygwin
    Open an Explorer window and navigate to the 'd:\by2temp' folder. Double left-click the 'setup-x64.exe' file to run the Cygwin installer, and close the Explorer window.

    The 'Cygwin Setup' page opens. Left-click 'Next'.

    At the 'Cygwin Setup - Choose Installation Type' page, leave the default 'Install from Internet' selected, and left-click 'Next'.

    The 'Cygwin Setup - Choose Installation Directory' page opens. In the 'Select Root Install Directory' dialog box, type 'd:\cygwin' (without the outside quotes), and left-click 'Next'.

    The 'Cygwin Setup - Select Local Package Directory' page opens. In the 'Select Local Package Directory' dialog box, type 'd:\cygwin\downloads' (without the outside quotes), and left-click 'Next'.

    An error message will appear stating 'Directory d:\cygwin\downloads does not exist, would you like me to create it?' Left-click 'Yes'.

    The 'Cygwin Setup - Select Connection Type' page opens. Left-click 'Next'.

    The 'Cygwin Setup - Choose Download Site(s)' page appears. There will be a list of package download sites under 'Choose A Download Site'. Left-click to highlight 'http://cygwin.mirrors.hoobly.com', and left-click 'Next'.

    The 'Cygwin Setup' page appears and the default packages will be installed.
    Installing required Cygwin packages
    The 'Cygwin Setup - Select Packages' page appears. Under 'Select Packages', and to the right of 'View', left-click and select 'Full'.

    In the 'Search' dialog, type 'unzip'. Under 'Package', to the right of 'unzip', left-click the down arrow, and left-click to select the latest stable version.

    In the 'Search' dialog, type 'zip'. Under 'Package', to the right of 'zip', left-click the down arrow, and left-click to select the latest stable version.

    In the 'Search' dialog, type 'bison'. Under 'Package', to the right of 'bison', left-click the down arrow, and left-click to select the latest stable version.

    In the 'Search' dialog, type 'automake'. Under 'Package', to the right of 'automake', left-click the down arrow, and left-click to select the latest stable version.

    In the 'Search' dialog, type 'cmake'. Under 'Package', to the right of 'cmake', left-click the down arrow, and left-click to select the latest stable version.

    In the 'Search' dialog, type 'gcc-core'. Under 'Package', to the right of 'gcc-core', left-click the down arrow, and left-click to select the latest stable version.

    In the 'Search' dialog, type 'gcc-g++'. Under 'Package', to the right of 'gcc-g++', left-click the down arrow, and left-click to select the latest stable version.

    In the 'Search' dialog, type 'libtool'. Under 'Package', to the right of 'libtool', left-click the down arrow, and left-click to select the latest stable version.

    In the 'Search' dialog, type 'libicu'. Under 'Package', to the right of 'libicu-devel', left-click the down arrow, and left-click to select the latest stable version.

    Scroll down to 'libicu73', left-click the down arrow, and left-click to select the latest stable version.

    PostgreSQL Compile Only: In the 'Search' dialog, type 'flex'. Under 'Packages', to the right of 'flex', 'flex-debuginfo', and 'flexdll', left-click the down arrow for each one and left-click to select the latest stable version.

    In the 'Search' dialog, type 'make'. Under 'Package', to the right of 'make', left-click the down arrow, and left-click to select the latest stable version.

    In the 'Search' dialog, type 'libreadline-devel'. Under 'Package', to the right of 'libreadline-devel', left-click the down arrow, and left-click to select the latest stable version.

    In the 'Search' dialog, type 'zlib'. Under 'Package', to the right of 'zlib', left-click the down arrow, and left-click to select the latest stable version.

    In the 'Search' dialog, type 'zlib-devel'. Under 'Package', to the right of 'zlib-devel', left-click the down arrow, and left-click to select the latest stable version.

    In the 'Search' dialog, type 'perl'. Under 'Package', to the right of 'perl', left-click the down arrow, and left-click to select the latest stable version.

    In the 'Search' dialog, type 'patch'. Under 'Package', to the right of 'patch', left-click the down arrow, and left-click to select the latest stable version.

    In the 'Search' dialog, type 'libgmp-devel'. Under 'Package', to the right of 'libgmp-devel', left-click the down arrow, and left-click to select the latest stable version.

    In the 'Search' dialog, type 'libedit-devel'. Under 'Package', to the right of 'libedit-devel', left-click the down arrow, and left-click to select the latest stable version.

    MySQL Compile Only: In the 'Search' dialog, type 'libmariadb-devel'. Under 'Package', to the right of 'libmariadb-devel', left-click the down arrow, and left-click to select the latest stable version.

    MySQL Compile Only: In the 'Search' dialog, type 'mariadb-common'. Under 'Package', to the right of 'mariadb-common', left-click the down arrow, and left-click to select the latest stable version.

    At the bottom right, left-click 'Next'.

    The 'Cygwin Setup - Review and confirm changes' page opens. Left-click 'Next'.

    The 'Cygwin Setup - Progress' page opens, displaying the default packages being installed along with their dependencies. The progress is displayed at the top left, and this could take several minutes to complete. At the 'Cygwin Setup - Installation Status and Create Icons' page, left-click 'Finish'.

    Installing the support programs
    On the desktop, double left-click the 'Cygwin Terminal' icon to open the Cygwin Terminal Window.

    At the Cygwin CMD prompt, type 'unzip /cygdrive/d/temp/barnyard2-master.zip -d /cygdrive/d/cygwin' (without the outside quotes), and tap the 'Enter' key.

    At the Cygwin CMD prompt, type 'mv /cygdrive/d/cygwin/barnyard2-master /cygdrive/d/cygwin/source' (without the outside quotes), and tap the 'Enter' key.

    At the Cygwin CMD prompt, type 'unzip /cygdrive/d/temp/WpdPack_4_1_2.zip -d /cygdrive/d/cygwin' (without the outside quotes), and tap the 'Enter' key.

    At the Cygwin CMD prompt, type 'cp -Rf /cygdrive/d/cygwin/WpdPack/Lib/* /cygdrive/d/cygwin/lib' (without the outside quotes), and tap the 'Enter' key.

    At the Cygwin CMD prompt, type 'cp -Rf /cygdrive/d/cygwin/WpdPack/Include/* /cygdrive/d/cygwin/usr/include' (without the outside quotes), and tap the 'Enter' key.

    At the Cygwin CMD prompt, type 'unzip /cygdrive/d/temp/includes.zip -d /cygdrive/d/cygwin/usr/include' (without the outside quotes), and tap the 'Enter' key.

    At the Cygwin CMD prompt, type 'perl -pi -e 's/`ref_system_id`/ref_system_id/g;' /cygdrive/d/cygwin/source/src/output-plugins/spo_database_cache.h' (without the outside quotes), and tap the 'Enter' key.

    At the Cygwin CMD prompt, type 'mv /cygdrive/d/cygwin/lib/libwpcap.a /cygdrive/d/cygwin/lib/libpcap.a' (without the outside quotes), and tap the 'Enter' key.

    Prepping MySQL support for Barnyard2
    Skip this section if PostgreSQL is the database option to be compiled for the Windows Intrusion Detection System (WinIDS)!

    It is important to be compiling Barnyard2 with the same version of the database that is running on the Windows Intrusion Detection System (WinIDS)! At the Cygwin CMD prompt, type 'tar -zxvf /cygdrive/d/temp/mysql-8.0.46.tar.gz -C /cygdrive/d/cygwin' (without the outside quotes), and tap the 'Enter' key.

    At the Cygwin CMD prompt, type 'perl -pi -e 's/AND NOT WIN32/AND WIN32/g' /cygdrive/d/cygwin/mysql-8.0.46/configure.cmake' (without the outside quotes), and tap the 'Enter' key.

    At the Cygwin CMD prompt, type 'sed -i '1s/^/SET(CMAKE_LEGACY_CYGWIN_WIN32=1)\n/' /cygdrive/d/cygwin/mysql-8.0.46/CMakeLists.txt' (without the outside quotes), and tap the 'Enter' key.

    At the Cygwin CMD prompt, type 'cd /cygdrive/d/cygwin/mysql-8.0.46' (without the outside quotes), and tap the 'Enter' key.

    At the Cygwin CMD prompt, type 'cmake . -DWITH_EDITLINE=system -DINSTALL_MYSQLTESTDIR=' (without the outside quotes), and tap the 'Enter' key.

    At the Cygwin CMD prompt, type 'make mysqlclient && make install' (without the outside quotes), and tap the 'Enter' key.

    Prepping PostgreSQL support for Barnyard2
    Skip this section if MySQL is the database option to be compiled for the Windows Intrusion Detection System (WinIDS)!

    It is important to be compiling Barnyard2 with the same version of the database that is running on the Windows Intrusion Detection System (WinIDS)! At the Cygwin CMD prompt, type 'tar -zxvf /cygdrive/d/temp/postgresql-18.3.tar.gz -C /cygdrive/d/cygwin' (without the outside quotes), and tap the 'Enter' key.

    At the Cygwin CMD prompt, type 'cd /cygdrive/d/cygwin/postgresql-18.3' (without the outside quotes), and tap the 'Enter' key.

    At the Cygwin CMD prompt, type './configure' (without the outside quotes), and tap the 'Enter' key.

    At the Cygwin CMD prompt, type 'make && make install' (without the outside quotes), and tap the 'Enter' key.

    Assimilating the Barnyard2 executable and the support files
    At the Cygwin CMD prompt, type 'mkdir /cygdrive/d/barnyard2' (without the outside quotes), and tap the 'Enter' key.

    At the Cygwin CMD prompt, type 'mkdir /cygdrive/d/barnyard2/etc' (without the outside quotes), and tap the 'Enter' key.

    At the Cygwin CMD prompt, type 'mkdir /cygdrive/d/barnyard2/schemas' (without the outside quotes), and tap the 'Enter' key.

    At the Cygwin CMD prompt, type 'cp /cygdrive/d/cygwin/source/schemas/create* /cygdrive/d/cygwin/barnyard2/schemas' (without the outside quotes), and tap the 'Enter' key.

    At the Cygwin CMD prompt, type 'cp /cygdrive/d/cygwin/usr/local/bin/barnyard2.exe /cygdrive/d/cygwin/barnyard2' (without the outside quotes), and tap the 'Enter' key.

    At the Cygwin CMD prompt, type 'cp /cygdrive/d/cygwin/usr/local/etc/barnyard2.conf /cygdrive/d/cygwin/barnyard2/etc' (without the outside quotes), and tap the 'Enter' key.

    At the Cygwin CMD prompt, type 'cp /cygdrive/d/cygwin/bin/cygz.dll /cygdrive/d/cygwin/barnyard2' (without the outside quotes), and tap the 'Enter' key.

    At the Cygwin CMD prompt, type 'cp /cygdrive/d/cygwin/bin/cygwin1.dll /cygdrive/d/cygwin/barnyard2' (without the outside quotes), and tap the 'Enter' key.

    At the Cygwin CMD prompt, type 'cp /cygdrive/d/cygwin/bin/cygstdc++-6.dll /cygdrive/d/cygwin/barnyard2' (without the outside quotes), and tap the 'Enter' key.

    MySQL Compile Only: At the Cygwin CMD prompt, type 'cp /cygdrive/d/cygwin/bin/cygmariadb-3.dll /cygdrive/d/cygwin/barnyard2' (without the outside quotes), and tap the 'Enter' key.

    MySQL Compile Only: At the Cygwin CMD prompt, type 'cp /cygdrive/d/cygwin/bin/cygcrypto-1.1.dll /cygdrive/d/cygwin/barnyard2' (without the outside quotes), and tap the 'Enter' key.

    MySQL Compile Only: At the Cygwin CMD prompt, type 'cp /cygdrive/d/cygwin/bin/cygiconv-2.dll /cygdrive/d/cygwin/barnyard2' (without the outside quotes), and tap the 'Enter' key.

    MySQL Compile Only: At the Cygwin CMD prompt, type 'cp /cygdrive/d/cygwin/bin/cygssl-1.1.dll /cygdrive/d/cygwin/barnyard2' (without the outside quotes), and tap the 'Enter' key.

    PostgreSQL Compile Only: At the Cygwin CMD prompt, type 'cp /cygdrive/d/cygwin/usr/local/pgsql/lib/cygpq.dll /cygdrive/d/cygwin/barnyard2' (without the outside quotes), and tap the 'Enter' key.

    Creating the final compressed Barnyard2
    At the Cygwin CMD prompt, type 'cd /cygdrive/d/cygwin/barnyard2' (without the outside quotes), and tap the 'Enter' key.

    At the Cygwin CMD prompt, type 'zip -r /cygdrive/d/barnyard2-2.1.14-b337.zip' (without the outside quotes), and tap the 'Enter' key.

    At the Cygwin CMD prompt, type 'exit' (without the outside quotes), and tap the 'Enter' key.

    The compiled, assimilated, and compressed 'Barnyard2' file can be found in the root of drive 'd:\'.
    Cleaning up the Barnyard2 compile process
    Open a CMD window with Administrator privileges and type 'rmdir /S /Q d:\cygwin' (without the outside quotes), and tap the 'Enter' key.

    At the CMD prompt, type 'RMDIR /S /Q "%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Cygwin"' (without the outside quotes), and tap the 'Enter' key.

    At the CMD prompt, type 'del %PUBLIC%\Desktop\Cygwin*' (without the outside quotes), and tap the 'Enter' key.

    At the CMD prompt, type 'exit' (without the outside quotes), and tap the 'Enter' key.

    In Conclusion
    Congratulations, you have just completed compiling your very own copy of Barnyard2 for Windows, using the Cygwin UNIX emulator for Windows, on Windows, for either the MySQL or PostgreSQL database.

    I hope this tutorial has been helpful to you. Please feel free to provide feedback, both issues you experienced and recommendations that you might have. The goal of this tutorial was not just for you to compile Barnyard2, but to understand how all the parts work together, and gain a deeper understanding of all the components so that you can troubleshoot, modify, and update your Windows Intrusion Detection System (WinIDS) with confidence.

    Optional Companion Documents
    Be SURE to check out the available 'Companion Add-on Documents' to enhance the Windows Intrusion Detection System (WinIDS) experience. How to add Event Logging to a local Syslog Server.
    This tutorial will show how to configure Snort to send events to a local Syslog Server on an existing Windows Intrusion Detection System (WinIDS). How to add Event Logging to a remote Syslog Server.
    This tutorial will show how to configure Snort to send events to a remote Syslog Server from an existing Windows Intrusion Detection System (WinIDS). How to add Email Alerting to an existing Windows Intrusion Detection System (WinIDS)
    This tutorial will show how to email user-defined priority events on an existing Windows Intrusion Detection System (WinIDS). How to schedule automatic rules updating
    This tutorial is a simple-to-understand process on how to schedule automatic rules updating. How to compile Barnyard2 on Windows using Cygwin
    This tutorial is a simple-to-understand, step-by-step guide for compiling Barnyard2 on Windows using Cygwin (UNIX emulator). How to build and deploy a passive Ethernet tap
    This tutorial will show how to build and deploy a passive Ethernet tap.
    Updating the Windows Intrusion Detection System (WinIDS) Major components
    How to update the Snort Intrusion Detection Engine
    This tutorial will show how to update the Snort Intrusion Detection Engine. How to update the Windows Intrusion Detection System rules
    This tutorial will show how to update the Windows Intrusion Detection System rules.
    Debugging Installation errors
    Check the Event Viewer, as most of the support programs will throw FATAL errors into the Windows Application log.

    General tutorial issues
    For general problem issues that pertain to this specific tutorial, left-click the 'Get Community Support' button at the top of this tutorial, or manually navigate to the correct community support forum pertaining to this specific tutorial.

    Feedback
    I would love to get feedback from you about this tutorial. For any recommendations or ideas, please leave feedback HERE.

    Michael E. Steele | Microsoft Certified Systems Engineer (MCSE)
    Email Support: support@winsnort.com
    Snort: Open Source Network IDS - www.snort.org
    • 6,078 views
    Updated
  4. Construction and Use of a Passive Ethernet Tap
    Windows 10 / 11 / 2016 SE / 2019 SE / 2022 SE / 2025 SE
    Last Date Revised: May 12, 2026
    Written by: Michael E. Steele

    Get Community Support!  ➜
    Introduction
    These tutorials gives the basic instructions on how to build and deploying an Ethernet tap to an existing network.

    Copyright Notice
    This document is Copyright © 2003-2026 Michael Steele. All rights reserved. Permission to distribute this document is hereby granted providing that distribution is electronic, no money is involved, and this copyright notice is maintained. Other requests for distribution will be considered.

    Use the information in this document at your own risk. Michael Steele disavows any potential liability of this document. Use of the concepts, examples, and/or other content of this document are entirely at your own risk.

    This guide is written in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose.

    All copyrights are owned by their owners, unless specifically noted otherwise. Third-party trademarks or brand names are the property of their owners. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements.

    Hardware Requirements
    A single 4-port Ethernet housing such as the Versatap AT44 Surface Jack Housing from Allen Tel Products 4 Category 5e modular snap-in jacks such as the AT55 Category 5e Modular Snap-In Jacks from Allen Tel Products A small section, about 6 inches, of Category 5e cable
    Construction
    Figure 1 represents the AT55 Category 5e jack. The wire termination pin positions and associated wire color codes are also shown.



    Figure 1: AT55 Category 5e Jack

    This diagram is usually included with new Category 5e jacks from any other vendor.

    Disassemble the section of Category 5e wire that you have into eight separate wires. These wires should have the same color codes as in Figure 1.

    The next step should be to partially assemble the Ethernet housing with the four jacks. These should snap into position easily. Once mounted, begin wiring the first jack position using the solid orange wire. Use the next diagram as a guide. The wires can be inserted with a small screwdriver or some other small flat tool.

    Once you have terminated all eight wires, trim off any excess wire that remains. Snap the housing closed, and you should now have a completed passive Ethernet tap (see Figure 2).



    Figure 2: Passive Ethernet Tap

    Instructions for Use
    Place the passive Ethernet tap inline between a host machine and the Ethernet switch using the two outside positions labeled "HOST". Verify that the link status indicators on your host Ethernet interface and the Ethernet switch are connected again. You may now connect the Ethernet port of your sniffer or IDS sensor into the Tap A and/or Tap B connectors of the passive Ethernet tap.

    Keep in mind that when you have a full-duplex Ethernet connection, Tap A will show half-duplex traffic and Tap B will show the remaining traffic. You will need to use two Ethernet interfaces to examine both halves of the full-duplex signal. If you use Sun Trunking software, the traffic can be reassembled. See sun.com for information on Sun Trunking software.
    Optional Companion Documents
    Be SURE to check out the available 'Companion Add-on Documents' to enhance the Windows Intrusion Detection System (WinIDS) experience. How to add Event Logging to a local Syslog Server.
    This tutorial will show how to configure Snort to send events to a local Syslog Server on an existing Windows Intrusion Detection System (WinIDS). How to add Event Logging to a remote Syslog Server.
    This tutorial will show how to configure Snort to send events to a remote Syslog Server from an existing Windows Intrusion Detection System (WinIDS). How to add Email Alerting to an existing Windows Intrusion Detection System (WinIDS)
    This tutorial will show how to email user-defined priority events on an existing Windows Intrusion Detection System (WinIDS). How to schedule automatic rules updating
    This tutorial is a simple-to-understand process on how to schedule automatic rules updating. How to compile Barnyard2 on Windows using Cygwin
    This tutorial is a simple-to-understand, step-by-step guide for compiling Barnyard2 on Windows using Cygwin (UNIX emulator). How to build and deploy a passive Ethernet tap
    This tutorial will show how to build and deploy a passive Ethernet tap.
    Updating the Windows Intrusion Detection System (WinIDS) Major components
    How to update the Snort Intrusion Detection Engine
    This tutorial will show how to update the Snort Intrusion Detection Engine. How to update the Windows Intrusion Detection System rules
    This tutorial will show how to update the Windows Intrusion Detection System rules.
    Debugging Installation errors
    For general problem issues that pertain to this specific tutorial, left-click the get community support button at the top of this tutorial, or manually navigate to the correct community support forum pertaining to this specific tutorial.

    Michael E. Steele | Microsoft Certified System Engineer (MCSE)
    Email Support: support@winsnort.com
    Snort: Open Source Network IDS - www.snort.org
    • 12,624 views
    Updated
  5. Logging Events to a Remote Syslog Server
    Windows 10 / 11 / 2016 SE / 2019 SE / 2022 SE / 2025 SE
    Last Date Revised: May 12, 2026
    Written by: Michael E. Steele

    Get Community Support!  ➜
    Introduction
    This tutorial provides the basic instructions on how to log events from a Windows Intrusion Detection System (WinIDS) to a remote Windows or UNIX Syslog Server.

    Copyright Notice
    This document is Copyright © 2003-2026 Michael Steele. All rights reserved. Permission to distribute this document is hereby granted providing that distribution is electronic, no money is involved, and this copyright notice is maintained. Other requests for distribution will be considered.

    Use the information in this document at your own risk. Michael Steele disavows any potential liability of this document. Use of the concepts, examples, and/or other content of this document is entirely at your own risk.

    This guide is written in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose.

    All copyrights are owned by their owners, unless specifically noted otherwise. Third-party trademarks or brand names are the property of their owners. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements.

    Support Questions and Help
    All support questions related to this specific tutorial MUST be directed to the specific forum in which this Windows Intrusion Detection System (WinIDS) tutorial resides!

    By request, a premium fee service is available for one-on-one support.

    If you have not acquired this tutorial directly from the winsnort.com website, then you most likely do not have the latest revision of this tutorial!
    How to use this guide
    This installation is based on the installer being logged on with 'Administrator' privileges for the entire installation.

    The Windows Intrusion Detection System (WinIDS) will fail if the default installation path is not implemented correctly!
    The default installation path noted above is hard-coded into this tutorial and is also hard-coded into some of the install scripts. Installers will need to make the appropriate changes in both places if the default installation path is anything other than 'd:\winids', or if the support files are located anywhere other than the 'd:\temp' folder.

    The Windows Intrusion Detection System (WinIDS) will fail if the default installation path is not implemented correctly! Requires an existing Windows Intrusion Detection System (WinIDS) using one of the tutorials, either a standalone Windows Intrusion Detection System (WinIDS) or a remote Windows Intrusion Detection System (WinIDS). It is important when asked to 'Open a CMD window with Administrator privileges' that it is done, or the install will fail.

    It is also important when asked to 'Close a CMD window' that it is done, or the install will fail.

    Note: The user installing this tutorial MUST be a member of the Administrators group.

    Note: If the User Account Control dialog box appears at ANY time during this install, ALWAYS left-click 'Yes' to continue, or the install will fail.

    Instructions on starting a command prompt as an Administrator

    In the Windows Search box, type cmd, and then press CTRL+SHIFT+ENTER.

    Prepping for the Windows Intrusion Detection System (WinIDS) Tutorial

    Assumptions being made prior to starting this tutorial
    An existing Windows Intrusion Detection System (WinIDS) has been installed. A Windows or UNIX Syslog Server has been installed on the remote PC. The IP address of the remote PC where the Syslog Server has been installed is known. The Syslog listening port is known on the remote Syslog Server (suggest 514). The status of the listening port for the remote Syslog Server MUST be open for connections.
    Testing for an open listening port on the remote Syslog Server
    From the Windows Intrusion Detection System (WinIDS), go to the 'You Get Signal' website. Replace the local IP address with the IP Address of the remote Syslog Server in the 'Remote Address' dialog box. In the 'Port Number' dialog box, type the listening port number of the remote Syslog Server, and left-click 'Check'.

    *** If the above response is CLOSED, then do not proceed until the status is OPEN. ***
    Configuring the Windows Intrusion Detection System (WinIDS) for Remote Syslog logging

    Configuring Snort to include Syslog logging
    Open a CMD window with Administrator privileges and type 'notepad2 d:\winids\snort\etc\snort.conf' (without the outside quotes), and tap the 'Enter' key.

    Use Find in Notepad2 to locate and change the variables below. Original Line(s): # output alert_syslog: LOG_AUTH LOG_ALERT
    Change to: output alert_syslog: host=SYSLOG_SVR_IP_ADDR:PORT, LOG_AUTH LOG_ALERT

    Make SURE the SYSLOG_SVR_IP_ADDR above reflects the IP Address of the remote Syslog server, and the PORT above reflects the listening port of the remote Syslog Server. Now save the file and exit Notepad2.

    Testing the Snort configuration file
    At the CMD prompt, type 'd:\winids\snort\bin\snort -W' (without the outside quotes), and tap the 'Enter' key.

    The following is a partial example of what might be listed as valid Network Interface Cards.
    Index Physical Address IP Address ----- ---------------- ---------- 1 00:0C:29:25:B4:96 0000:0000:fe80:0000:0000:0000:ad63:31cf In the above list, the 'Index' number is important and will need to be remembered for later use in this tutorial. There may be several Network Interface Cards listed, and it will be up to the installer to determine the correct Network Interface Card (Index number) that will be monitoring the Windows Intrusion Detection System (WinIDS).

    The switch for the Network Interface Card will always be '-ix' (without the outside quotes), and the 'x' (without the outside quotes) will always represent the 'Index' number of the Network Interface Card that will be monitoring the Windows Intrusion Detection System (WinIDS). At the CMD prompt, type 'd:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix -T' (without the outside quotes), and tap the 'Enter' key.

    The above run line will require the 'Index' number of the monitoring Network Interface Card added to the 'x' above.

    This will start Snort in self-test mode for configuration and rule file testing. Depending on the resources used and/or available, it could take several minutes to run the self-test mode.

    If all the tests are passed, the following is a confirmation that the Snort configuration file and rules have tested successfully.
    Snort successfully validated the configuration! Snort exiting Do not proceed until 'Snort successfully validated the configuration!'
    Configuring the Snort service run line for the Syslog Server logging
    At the CMD prompt, type 'net stop snort' (without the outside quotes), and tap the 'Enter' key.

    At the CMD prompt, type 'cd /d d:\winids\snort\bin' (without the outside quotes), and tap the 'Enter' key.

    At the CMD prompt, type 'snort /SERVICE /SHOW' (without the outside quotes), and tap the 'Enter' key.

    The output display will be the full run line that Snort uses at startup, and might look like the following: Snort is currently configured to run as a Windows service using the following command-line parameters: -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -i1 At the CMD prompt, type 'snort /SERVICE /UNINSTALL' (without the outside quotes), and tap the 'Enter' key.

    The following is a confirmation that the Snort service was successfully removed from the services database. [SNORT_SERVICE] Attempting to uninstall the Snort service. [SNORT_SERVICE] Successfully removed registry keys from: \HKEY_LOCAL_MACHINE\SOFTWARE\Snort\ [SNORT_SERVICE] Successfully removed the Snort service from the Services database. The new Snort auto-start configuration line needs to be added that contains the switch to turn on the option to log all events to the Syslog Server.

    The Snort run line that should be entered below should be exactly what was displayed when the snort /SERVICE /SHOW command was run previously, except adding '-s' (without the outside quotes) to the end. At the CMD prompt, type 'snort /SERVICE /INSTALL -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -i1 -s' (without the outside quotes), and tap the 'Enter' key.

    The following is a confirmation that the Snort service was successfully added to the services database. [SNORT_SERVICE] Attempting to install the Snort service. [SNORT_SERVICE] The full path to the Snort binary appears to be: D:\winids\snort\bin\snort /SERVICE [SNORT_SERVICE] Successfully added registry keys to: \HKEY_LOCAL_MACHINE\SOFTWARE\Snort\ [SNORT_SERVICE] Successfully added the Snort service to the Services database. At the CMD prompt, type 'sc config snortsvc start= auto' (without the outside quotes), and tap the 'Enter' key.

    The following is a confirmation that the Snort auto-start service has been successfully activated. [SC] ChangeServiceConfig SUCCESS At the CMD prompt, type 'net start snort' (without the outside quotes), and tap the 'Enter' key.

    At the CMD prompt, type 'exit' (without the outside quotes), and tap the 'Enter' key.

    In Conclusion
    At this point, it could take several minutes before seeing events arrive in the remote Syslog Server.

    Optional Companion Documents
    Be SURE to check out the available 'Companion Add-on Documents' to enhance the Windows Intrusion Detection System (WinIDS) experience. How to add Event Logging to a local Syslog Server.
    This tutorial will show how to configure Snort to send events to a local Syslog Server on an existing Windows Intrusion Detection System (WinIDS). How to add Event Logging to a remote Syslog Server.
    This tutorial will show how to configure Snort to send events to a remote Syslog Server from an existing Windows Intrusion Detection System (WinIDS). How to add Email Alerting to an existing Windows Intrusion Detection System (WinIDS)
    This tutorial will show how to email user-defined priority events on an existing Windows Intrusion Detection System (WinIDS). How to schedule automatic rules updating
    This tutorial is a simple-to-understand process on how to schedule automatic rules updating. How to compile Barnyard2 on Windows using Cygwin
    This tutorial is a simple-to-understand, step-by-step guide for compiling Barnyard2 on Windows using Cygwin (UNIX emulator). How to build and deploy a passive Ethernet tap
    This tutorial will show how to build and deploy a passive Ethernet tap.
    Updating the Windows Intrusion Detection System (WinIDS) Major components
    How to update the Snort Intrusion Detection Engine
    This tutorial will show how to update the Snort Intrusion Detection Engine. How to update the Windows Intrusion Detection System rules
    This tutorial will show how to update the Windows Intrusion Detection System rules.
    Debugging Installation errors
    Check the Event Viewer, as most of the support programs will throw FATAL errors into the Windows Application log.

    General tutorial issues
    For general problem issues that pertain to this specific tutorial, left-click the 'Get Community Support' button at the top of this tutorial, or manually navigate to the correct community support forum pertaining to this specific tutorial.

    Feedback
    I would love to get feedback from you about this tutorial. For any recommendations or ideas, please leave feedback HERE.

    Michael E. Steele | Microsoft Certified Systems Engineer (MCSE)
    Email Support: support@winsnort.com
    Snort: Open Source Network IDS - www.snort.org
    • 2,872 views
    Updated

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.