Snort mailing list archives
Re: Unable to configure unified2 output
From: Nick Moore <nmoore () sourcefire com>
Date: Wed, 31 Mar 2010 06:23:51 -0500
Mike, I would recommend simply using the unified2 logger and then creating all of your output from Barnyard2. The whole reason that the unified output was created was to fork off most of the output processes so that Snort could process packets faster. If you read through the barnyard2.conf file in the installed code, you'll find lots of output options there. Nick On Tue, Mar 30, 2010 at 5:19 PM, Mike Lococo <mikelococo () gmail com> wrote:
Greetings, I recently attempted to migrate to merged alert/log unified2 output using the following config: output unified2: filename snort-unified2.log, limit 128 When running this config I get snort.log.[epochtime] files instead of the snort-unified2.log.[epochtime] files that I expect. The snort.log files are tcpdump formatted... not unified2. It's not clear to my why this config doesn't work, it should be valid according to the manual and to many mailing-list examples. If I make a trivial change to the config above... output log_unified2: filename snort-unified2.log, limit 128 ... the tcpdump-formatted files are no longer created, and I do see snort-unified2.log.[epochtime] files as expected. However, I'd like to have a "merged" unified2 log with both alert and log information in it as is specified in the previous "broken" config. If I run snort with no output-line configured at all, I get the same tcpdump-formatted snort.log files as I get with my broken unified2 config, which makes me think that there is something causing my config line to be ignored and I'm falling through to a default. My initial configuration used the original unified "log" output and behaves as expected: output log_unified: filename snort0.log, limit 128 This created the expected snort0.log.[epochtime] files in /var/log/snort, and has worked well for quite some time. I can switch back to this config now and it still works as expected, so I feel fairly confident in the rest of my snort config/infrastructure. Additional possibly relevant info: * I'm running the latest stable snort (2.8.5.3 - Build 124). * When running snort from the command line, I don't see any useful output printed to the screen in any of my test cases. The only relevant line appears to be "Initializing Output Plugins!", which never changes or echoes the output configuration that is being initialized. * A similar problem was reported in the forum in November with no response: https://forums.snort.org/forums/snort-newbies/topics/problems-enabling-unified2-logging Does anyone have any ideas about what could be going wrong, or additional troubleshooting steps to take? Since there's no error or problem indicator (other than failure to produce the desired logs) I'm not sure what to check next. Thanks, Mike Lococo ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Nick Moore, SFCE, CISSP, CISA Sr. Systems Engineer Voice 708-336-9041 Email nick.moore () sourcefire com IM nickgmoore (Yahoo) nickgmoore38 (AIM) ,,_ o" )~ Sourcefire - The Creators of Snort '''' www.sourcefire.com www.snort.org
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Unable to configure unified2 output Mike Lococo (Mar 30)
- Re: Unable to configure unified2 output Nick Moore (Mar 31)
- Re: Unable to configure unified2 output Mike Lococo (Mar 31)
- Re: Unable to configure unified2 output Todd Wease (Mar 31)
- Re: Unable to configure unified2 output JJ Cummings (Mar 31)
- Re: Unable to configure unified2 output Mike Lococo (Mar 31)
- Re: Unable to configure unified2 output Mike Lococo (Mar 31)
- Re: Unable to configure unified2 output JJ Cummings (Mar 31)
- Re: Unable to configure unified2 output Mike Lococo (Mar 31)
- Re: Unable to configure unified2 output JJ Cummings (Mar 31)
- Re: Unable to configure unified2 output Nick Moore (Mar 31)