Snort mailing list archives
Re: Snort logs not being written.
From: Y M <snort () outlook com>
Date: Sun, 25 Nov 2012 21:53:04 +0300
This may sound naive, but can you verify: 1. If snort is actually seeing traffic and generating alerts based on the traffic (you can easily test with icmps once protocol-icmp rules are enabled) by suffixing your snort running command with -A console; this will generate the alerts to the console instead of writing them to a log. 2. Check snort.conf file and identify which plugin is used to write the logs as snort is the one that writes the logs, barnyard2 only parses them (unified2 format) if unified2 output plugin is used. Did you compile snort from source? If so, which directory was configured to host the logs? Please correct me if I misunderstood something. Thanks. YM ________________________________ From: GB Sent: 11/25/2012 9:31 PM To: 'Y M' Subject: RE: [Snort-users] Snort logs not being written. Thanks for the response YM, I am not actually starting BY2 since it really isn’t being used or configured, just looking through its configs because that is determining where logs are used and being written. Thanks, From: Y M [mailto:snort () outlook com] Sent: Sunday, November 25, 2012 10:08 AM To: GB; snort-users () lists sourceforge net Subject: RE: [Snort-users] Snort logs not being written. A similar issue I had but may not be related was that snort is writing the unified2 logs to a different location from where barnyard2 was supposed to read the file; I was always reading an empty file. What's the command you use to start barnyard2? I'm my case I use the -d switch to specify the unified2 file directory, -f to specify the file name that barnyard2 should look for (as specified in your snort.conf in barnyard2 output plugin section) and -w to specify the location of the waldo file, given that the barnyard2.conf has all the variables for sid-msg.map, gen-msg.map, reference, etc, file locations setup. Hope this helps. YM _____ From: GB Sent: 11/25/2012 7:23 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Snort logs not being written. Logs of this issue but none matches my problem. Before I got there the business was going to use Barnyard2 (I have familiar with BY1 but 2 is new to me…). They decided they already had a collator do decided they didn’t need BY2 but discovered it had stopped writing logs post installation of BY2, sigh. I can see the Snort engine start up, I can watch it checking its sensors and I even found a BY2.config that looked like the culprit but now it is just opening a log file with 0kb and nothing gets written to the file. This is all running under Fedora. I can’t find anything one backing out or deactivating BY2, so any help would be appreciated. Thanks for your patience all!
------------------------------------------------------------------------------ Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort logs not being written. GB (Nov 25)
- Re: Snort logs not being written. beenph (Nov 25)
- <Possible follow-ups>
- Re: Snort logs not being written. Y M (Nov 25)
- Re: Snort logs not being written. Y M (Nov 25)
- Re: Snort logs not being written. GB (Nov 25)
- Re: Snort logs not being written. beenph (Nov 25)
- Re: Snort logs not being written. GB (Nov 26)
- Re: Snort logs not being written. honeybadger (Nov 27)
- Re: Snort logs not being written. honeybadger (Nov 27)
- Re: Snort logs not being written. GB (Nov 25)